GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-29 22:55:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE4O 698,64GB Running: gmer.exe; Driver: C:\Users\Jarek76\AppData\Local\Temp\uwriqkow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000154d00 7 bytes [00, 89, F3, FF, C1, 98, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000154d08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1324] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1408] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, CB, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, C9, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1408] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, C7, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\winhttp.dll!WinHttpCloseHandle 000007fefb6822e0 12 bytes [48, B8, F9, A2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\winhttp.dll!WinHttpOpenRequest 000007fefb6845f8 12 bytes [48, B8, 39, A1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\winhttp.dll!WinHttpConnect 000007fefb693e3c 12 bytes [48, B8, B9, A4, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, CB, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, C9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, C7, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefd7ddd61 11 bytes [B8, 79, 8A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, CB, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, C9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, C7, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb6822e0 12 bytes [48, B8, F9, A2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb6845f8 12 bytes [48, B8, 39, A1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb693e3c 12 bytes [48, B8, B9, A4, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\msi.dll!MsiDecomposeDescriptorW + 157 000007fef33d3e45 11 bytes [B8, 79, 1D, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\msi.dll!MsiQueryProductStateA + 1 000007fef3452659 11 bytes [B8, 79, 4B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\msi.dll!MsiInstallProductA + 1 000007fef3452ad5 11 bytes [B8, F9, 47, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\msi.dll!MsiQueryProductStateW + 1 000007fef3461311 11 bytes [B8, 39, 4D, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\msi.dll!MsiInstallProductW + 1 000007fef346167d 11 bytes [B8, B9, 49, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\msi.dll!MsiOpenDatabaseW + 1 000007fef3479cf1 11 bytes [B8, 39, 46, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\msi.dll!MsiOpenDatabaseA + 1 000007fef3479f1d 11 bytes [B8, 79, 44, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 35, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, C7, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, C5, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, C4, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 39, 11, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, A8, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, C2, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, AB, 4F, 75, 00] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 39, 0A, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, 79, 0F, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\STacSV64.exe[1768] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, B9, 0D, 50, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\Hpservice.exe[1968] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[2040] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[1644] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2068] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, CB, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, C9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, C7, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb6822e0 12 bytes [48, B8, F9, A2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb6845f8 12 bytes [48, B8, 39, A1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2068] c:\windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb693e3c 12 bytes [48, B8, B9, A4, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, CB, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, C9, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, C7, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2292] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2340] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2512] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 35, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 0B, 50, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 0D, 50, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 08, 50, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2568] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb6822e0 12 bytes [48, B8, F9, A2, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb6845f8 12 bytes [48, B8, 39, A1, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] c:\windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb693e3c 12 bytes [48, B8, B9, A4, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, CB, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, C9, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2568] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, C7, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb6822e0 12 bytes [48, B8, F9, A2, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb6845f8 12 bytes [48, B8, 39, A1, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb693e3c 12 bytes [48, B8, B9, A4, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, 79, 1D, 50, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\system32\advapi32.DLL!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2604] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2700] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000074b82b40 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000074bb1f90 5 bytes JMP 0000000173414149 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000074bb2770 5 bytes JMP 00000001734121d1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000074c3e460 5 bytes JMP 0000000173412ab9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!closesocket 0000000075a03918 5 bytes JMP 0000000173415741 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 00000001734156a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173416ca1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173414dc1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!recv 0000000075a06b0e 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 0000000173416f01 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 0000000173416dd1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 0000000173414e59 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\ws2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173414ef1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b71401 2 bytes JMP 7588b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b71419 2 bytes JMP 7588b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b71431 2 bytes JMP 75908f29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b7144a 2 bytes CALL 7586489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b714dd 2 bytes JMP 75908822 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b714f5 2 bytes JMP 759089f8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b7150d 2 bytes JMP 75908718 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b71525 2 bytes JMP 75908ae2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b7153d 2 bytes JMP 7587fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b71555 2 bytes JMP 758868ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b7156d 2 bytes JMP 75908fe3 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b71585 2 bytes JMP 75908b42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b7159d 2 bytes JMP 759086dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b715b5 2 bytes JMP 7587fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b715cd 2 bytes JMP 7588b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b716b2 2 bytes JMP 75908ea4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b716bd 2 bytes JMP 75908671 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2856] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, B9, 22, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e1dc10 6 bytes [48, B8, B9, FF, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 0000000076e1dc18 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, B9, 30, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, CB, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, F9, 20, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, C9, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, F9, 2E, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, FA, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, 79, 32, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, FC, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, F9, 35, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 39, 2D, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 39, 1F, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, E1, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 39, 34, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, F9, 27, 50, 75] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 39, 26, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, 79, 01, 50, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, 79, 1D, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, C7, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, C5, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, C4, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, A8, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, C2, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, AB, 4F, 75, 00] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, F9, 0B, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, 39, 11, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, 79, 0F, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 39, 18, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, F9, 19, 50, 75] .text ... * 2 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, 39, 3B, 50, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 39, 0A, 50, 75, 00, 00] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2888] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b71401 2 bytes JMP 7588b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b71419 2 bytes JMP 7588b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b71431 2 bytes JMP 75908f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b7144a 2 bytes CALL 7586489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b714dd 2 bytes JMP 75908822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b714f5 2 bytes JMP 759089f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b7150d 2 bytes JMP 75908718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b71525 2 bytes JMP 75908ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b7153d 2 bytes JMP 7587fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b71555 2 bytes JMP 758868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b7156d 2 bytes JMP 75908fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b71585 2 bytes JMP 75908b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b7159d 2 bytes JMP 759086dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b715b5 2 bytes JMP 7587fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b715cd 2 bytes JMP 7588b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b716b2 2 bytes JMP 75908ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b716bd 2 bytes JMP 75908671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734177e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 00000001734173c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173417751 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417881 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734176b9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417329 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417919 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 00000001734174f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417459 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734169a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416911 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417291 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 00000001734179b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417621 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417589 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173417a49 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416b71 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416a41 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417031 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 00000001734171f9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416ad9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417161 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f99 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734170c9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417ae1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416c09 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 000000006cf417fa 2 bytes CALL 758611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 000000006cf41860 2 bytes CALL 758611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 000000006cf41942 2 bytes JMP 75a07089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000006cf4194d 2 bytes JMP 75a0cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a03918 5 bytes JMP 0000000173415741 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 00000001734156a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173416ca1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173414dc1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a06b0e 5 bytes JMP 0000000173416e69 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 0000000173416f01 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 0000000173416dd1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 0000000173414e59 .text C:\Windows\SysWOW64\PnkBstrA.exe[2096] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173414ef1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f01 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3252] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 20, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 2E, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, CB, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 1F, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, C9, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 2D, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, FA, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 30, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, FC, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 34, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 2B, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 1D, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, E1, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 32, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 26, 50, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 35, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb6822e0 12 bytes [48, B8, F9, BE, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb6845f8 12 bytes [48, B8, 39, BD, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb693e3c 12 bytes [48, B8, B9, C0, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, C7, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, C5, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, C4, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 39, 11, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, A8, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, C2, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, AB, 4F, 75, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 39, 0A, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, 79, 0F, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, B9, 0D, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, E7, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, E5, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3356] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f01 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a03918 5 bytes JMP 0000000173415741 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 00000001734156a9 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173414dc1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a06b0e 5 bytes JMP 0000000173416dd1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 0000000173414e59 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173414ef1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000074b82b40 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000074bb1f90 5 bytes JMP 0000000173414149 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000074bb2770 5 bytes JMP 00000001734121d1 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3504] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000074c3e460 5 bytes JMP 0000000173412ab9 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 35, 50, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, 39, 18, 50, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3612] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b71401 2 bytes JMP 7588b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b71419 2 bytes JMP 7588b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b71431 2 bytes JMP 75908f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b7144a 2 bytes CALL 7586489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b714dd 2 bytes JMP 75908822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b714f5 2 bytes JMP 759089f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b7150d 2 bytes JMP 75908718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b71525 2 bytes JMP 75908ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b7153d 2 bytes JMP 7587fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b71555 2 bytes JMP 758868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b7156d 2 bytes JMP 75908fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b71585 2 bytes JMP 75908b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b7159d 2 bytes JMP 759086dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b715b5 2 bytes JMP 7587fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b715cd 2 bytes JMP 7588b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b716b2 2 bytes JMP 75908ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b716bd 2 bytes JMP 75908671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000074b82b40 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000074bb1f90 5 bytes JMP 0000000173414149 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000074bb2770 5 bytes JMP 00000001734121d1 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3816] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000074c3e460 5 bytes JMP 0000000173412ab9 .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\servicing\TrustedInstaller.exe[4728] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 00000001734183c9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173418461 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b71401 2 bytes JMP 7588b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b71419 2 bytes JMP 7588b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b71431 2 bytes JMP 75908f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b7144a 2 bytes CALL 7586489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b714dd 2 bytes JMP 75908822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b714f5 2 bytes JMP 759089f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b7150d 2 bytes JMP 75908718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b71525 2 bytes JMP 75908ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b7153d 2 bytes JMP 7587fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b71555 2 bytes JMP 758868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b7156d 2 bytes JMP 75908fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b71585 2 bytes JMP 75908b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b7159d 2 bytes JMP 759086dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b715b5 2 bytes JMP 7587fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b715cd 2 bytes JMP 7588b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b716b2 2 bytes JMP 75908ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b716bd 2 bytes JMP 75908671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a03918 5 bytes JMP 00000001734160c1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 0000000173416029 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173415741 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a06b0e 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5084] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 00000001734183c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a03918 5 bytes JMP 00000001734160c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 0000000173416029 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173415741 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a06b0e 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b71401 2 bytes JMP 7588b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b71419 2 bytes JMP 7588b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b71431 2 bytes JMP 75908f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b7144a 2 bytes CALL 7586489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b714dd 2 bytes JMP 75908822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b714f5 2 bytes JMP 759089f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b7150d 2 bytes JMP 75908718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b71525 2 bytes JMP 75908ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b7153d 2 bytes JMP 7587fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b71555 2 bytes JMP 758868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b7156d 2 bytes JMP 75908fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b71585 2 bytes JMP 75908b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b7159d 2 bytes JMP 759086dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b715b5 2 bytes JMP 7587fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b715cd 2 bytes JMP 7588b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b716b2 2 bytes JMP 75908ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b716bd 2 bytes JMP 75908671 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [4172] entry point in ".rdata" section 00000000032a71e6 .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, B9, 8F, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, F9, 55, 4F, 75, 00, 00] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, F9, 5C, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, F9, 8D, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 39, 5B, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 79, 9F, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, F9, 71, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, 39, A1, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, B9, 73, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, B9, A4, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, B9, 9D, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, B9, 5E, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 39, 8C, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, 79, 60, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, F9, A2, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, F9, 94, 4F, 75] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, 39, 69, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 39, 93, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, 39, 70, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, B9, 6C, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, B9, 65, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, 39, 77, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, F9, 78, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, 79, 8A, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 79, 75, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, 79, 83, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, B9, 88, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 79, 7C, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, B9, 81, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, F9, 86, 4F, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, 79, 59, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, F9, 7F, 4F, 75, 00, 00] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, B9, 57, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, F9, 4E, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 79, 4B, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, 39, 46, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 79, 44, 4F, 75, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, 39, 4D, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, F9, 47, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, B9, 49, 4F, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[4248] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 0000000076fcf93c 5 bytes JMP 0000000173417291 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418201 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417dd9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173418169 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418299 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734180d1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417d41 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418331 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417f09 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417e71 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734173c1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417329 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417ca9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 00000001734183c9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173418039 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417fa1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173418461 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173417589 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173417459 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417a49 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417c11 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 00000001734174f1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417b79 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 00000001734179b1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417ae1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 00000001734184f9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417621 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\ProgramData\DatacardService\DCSHelper.exe[4296] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 00000001734183c9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173418461 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, F9, 6A, 4F, 75, 00, 00] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, F9, B0, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 39, 38, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, F9, 2B, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 39, 85, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 39, 3F, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, F9, 86, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, B9, 3B, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, 79, 2F, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, 79, 7C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, F9, 78, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, 79, 83, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, F9, 7F, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 39, 54, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, 79, 52, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, 1F, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, B9, B2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, B9, 50, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, 79, 44, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, F9, 24, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, B9, 42, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, 79, 6E, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 39, 62, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, B9, 57, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, F9, 63, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, B9, 5E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[4640] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, 79, 1D, 50, 75, 00, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\wbem\unsecapp.exe[2624] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 20, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 2E, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, CB, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 1F, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, C9, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 2D, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, FA, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 30, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, FC, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 34, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 2B, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 1D, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, E1, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 32, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 26, 50, 75] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 37, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefd128050 12 bytes [48, B8, B9, 65, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4364] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefd1295e1 11 bytes [B8, F9, 63, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[5048] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 35, 50, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[4888] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, F9, 6A, 4F, 75, 00, 00] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, F9, B0, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 39, 38, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, F9, 2B, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 39, 85, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 39, 3F, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, F9, 86, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, B9, 3B, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, 79, 2F, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, 79, 7C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, F9, 78, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, 79, 83, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, F9, 7F, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 39, 54, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, 79, 52, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, 1F, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, B9, B2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, B9, 50, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, 79, 44, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, F9, 24, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, B9, 42, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, 79, 6E, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 39, 62, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, B9, 57, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, F9, 63, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, B9, 5E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, 79, AD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, B9, AB, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, F9, A9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 39, 69, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, 79, 91, 4F, 75, 00] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, B9, 8F, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefd128050 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\System32\rundll32.exe[5056] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefd1295e1 11 bytes [B8, B9, 65, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[4128] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 00000001734183c9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173418461 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4872] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 00000001734176b9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 00000001734169a9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416b71 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416a41 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 0000000173417031 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416ad9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1404] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 20, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 2E, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, CB, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 1F, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, C9, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 2D, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, FA, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 30, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, FC, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 34, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 2B, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 1D, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, E1, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 32, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 26, 50, 75] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 35, 50, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\USB Vibration\7906\USB Gamepad.exe[1360] C:\Windows\system32\DINPUT.dll!DirectInputCreateEx + 1 000007fefa16d685 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc1e56e0 12 bytes [48, B8, 39, CB, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc1f010c 12 bytes [48, B8, 79, C9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5200] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc20daa0 12 bytes [48, B8, B9, C7, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 2 bytes [B8, 79] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 4 0000000076cd0944 8 bytes [50, 75, 00, 00, 00, 00, 50, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, EE, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, D0, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, FF, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, 01, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, CE, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, CC, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, EA, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, 03, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, 16, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, 18, 50, 75] .text ... * 2 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 37, 50, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, 08, 50, 75, 00, 00] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5752] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 00000001734183c9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173418461 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a03918 5 bytes JMP 00000001734160c1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 0000000173416029 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173415741 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a06b0e 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b71401 2 bytes JMP 7588b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b71419 2 bytes JMP 7588b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b71431 2 bytes JMP 75908f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b7144a 2 bytes CALL 7586489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b714dd 2 bytes JMP 75908822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b714f5 2 bytes JMP 759089f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b7150d 2 bytes JMP 75908718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b71525 2 bytes JMP 75908ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b7153d 2 bytes JMP 7587fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b71555 2 bytes JMP 758868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b7156d 2 bytes JMP 75908fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b71585 2 bytes JMP 75908b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b7159d 2 bytes JMP 759086dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b715b5 2 bytes JMP 7587fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b715cd 2 bytes JMP 7588b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b716b2 2 bytes JMP 75908ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[6068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b716bd 2 bytes JMP 75908671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a03918 5 bytes JMP 00000001734160c1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 0000000173416029 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173415741 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a06b0e 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173418461 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 00000001734184f9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[5728] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 00000001734183c9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173418461 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a03918 5 bytes JMP 00000001734160c1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a03cd3 5 bytes JMP 0000000173416029 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a03eb8 5 bytes JMP 0000000173417621 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a04406 5 bytes JMP 0000000173412139 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a04889 5 bytes JMP 0000000173415741 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a06b0e 5 bytes JMP 00000001734177e9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a06bdd 1 byte JMP 00000001734141e1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a06bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!send 0000000075a06f01 5 bytes JMP 00000001734120a1 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a07089 5 bytes JMP 0000000173417881 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a0cc3f 5 bytes JMP 0000000173417751 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a0d1ea 5 bytes JMP 00000001734157d9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a17673 5 bytes JMP 0000000173415871 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b71401 2 bytes JMP 7588b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b71419 2 bytes JMP 7588b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b71431 2 bytes JMP 75908f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b7144a 2 bytes CALL 7586489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b714dd 2 bytes JMP 75908822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b714f5 2 bytes JMP 759089f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b7150d 2 bytes JMP 75908718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b71525 2 bytes JMP 75908ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b7153d 2 bytes JMP 7587fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b71555 2 bytes JMP 758868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b7156d 2 bytes JMP 75908fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b71585 2 bytes JMP 75908b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b7159d 2 bytes JMP 759086dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b715b5 2 bytes JMP 7587fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b715cd 2 bytes JMP 7588b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b716b2 2 bytes JMP 75908ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b716bd 2 bytes JMP 75908671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 1B, 50, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[5740] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefebb13b1 11 bytes [B8, B9, AB, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!closesocket 000007fefebb18e0 12 bytes [48, B8, F9, A9, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefebb1bd1 11 bytes [B8, 39, A8, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefebb2201 11 bytes [B8, 79, F3, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefebb23c0 12 bytes [48, B8, 39, 8C, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!connect 000007fefebb45c0 12 bytes [48, B8, 79, 67, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!send + 1 000007fefebb8001 11 bytes [B8, 79, A6, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefebb8df0 7 bytes [48, B8, B9, 8F, 4F, 75, 00] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefebb8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefebbc090 12 bytes [48, B8, F9, 8D, 4F, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefebbde91 11 bytes [B8, 79, EC, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefebbdf41 11 bytes [B8, B9, F1, 4F, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4980] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefebde0f1 11 bytes [B8, F9, EF, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076df8731 11 bytes [B8, F9, 04, 50, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e06761 7 bytes [B8, 39, 69, 4F, 75, 00, 00] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e0676a 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e1dc30 6 bytes [48, B8, F9, 12, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e1dc38 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e1dca0 6 bytes [48, B8, 79, C2, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e1dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e1dd70 6 bytes [48, B8, 39, AF, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e1dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e1ddc0 6 bytes [48, B8, 39, 03, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e1ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e1de10 6 bytes [48, B8, F9, 32, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e1de18 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e1de30 6 bytes [48, B8, 39, 1C, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e1de38 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e1de50 6 bytes [48, B8, F9, 1D, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e1de58 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e1de70 6 bytes [48, B8, 79, AD, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e1de78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e1df20 6 bytes [48, B8, 39, 11, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e1df28 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e1df50 6 bytes [48, B8, 79, 2F, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e1df58 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e1df70 6 bytes [48, B8, 79, 36, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e1df78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e1dfc0 6 bytes [48, B8, 79, DE, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e1dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e1e000 6 bytes [48, B8, B9, 34, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e1e008 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e1e050 6 bytes [48, B8, B9, 14, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e1e058 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e1e080 6 bytes [48, B8, 39, 2A, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e1e088 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e1e090 6 bytes [48, B8, B9, 26, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e1e098 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e1e100 6 bytes [48, B8, 39, E0, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e1e108 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e1e1b0 6 bytes [48, B8, 39, 18, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e1e1b8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e1e580 6 bytes [48, B8, 79, 0F, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e1e588 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e1e5d0 6 bytes [48, B8, 79, 28, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e1e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e1e630 6 bytes [48, B8, F9, 24, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e1e638 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e1e9a0 6 bytes [48, B8, 39, C4, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e1e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e1eb70 6 bytes [48, B8, 79, 01, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e1eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e1eee0 6 bytes [48, B8, 79, 83, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e1eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e1f0e0 6 bytes [48, B8, 39, 31, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e1f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e1f2a0 6 bytes [48, B8, F9, C5, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e1f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e1f380 6 bytes [48, B8, 79, 3D, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e1f388 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e1f390 6 bytes [48, B8, B9, 3B, 4F, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e1f398 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e1f3a0 6 bytes [48, B8, 79, 16, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e1f3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e1f480 6 bytes [48, B8, 39, 0A, 50, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e1f488 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076e8ed21 11 bytes [B8, 39, 85, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, 79, 08, 50, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, B9, E3, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, B9, FF, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, F9, E1, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, F9, E8, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, 79, FA, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 39, FC, 4F, 75] .text ... * 2 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 19, 50, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, 79, EC, 4F, 75, 00, 00] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[5336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173418169 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 00000001734167e1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 00000001734161f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417d41 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 0000000173416159 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734180d1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 0000000173417161 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173418201 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173418039 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173416879 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 0000000173417ca9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173416911 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 0000000173418299 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417e71 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 0000000173417dd9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 00000001734170c9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 0000000173416e69 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173416749 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 0000000173416d39 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416f99 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 00000001734171f9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416c09 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 0000000173416321 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173416289 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 00000001734163b9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173417329 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 0000000173417291 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417c11 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 00000001734174f1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 00000001734173c1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734179b1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417b79 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173417459 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 0000000173417ae1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417919 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417a49 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173418331 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173417589 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 00000001734183c9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173415909 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 5 bytes JMP 0000000173416581 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173418461 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 00000001734159a1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173416451 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 00000001734164e9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 0000000173415a39 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 0000000173417fa1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415dc9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417f09 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 0000000173415d31 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 0000000173415b69 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173416619 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415ad1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 5 bytes JMP 0000000173415c01 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415c99 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3436] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 0000000173414d29 .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cb1b21 11 bytes [B8, B9, C0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cb1c10 12 bytes [48, B8, F9, 39, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076cb2b61 8 bytes [B8, B9, D5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076cb2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ccdbc0 12 bytes [48, B8, B9, 2D, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cd0941 11 bytes [B8, B9, 06, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d05321 11 bytes [B8, B9, 7A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d05341 11 bytes [B8, 39, 77, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d1a650 12 bytes [48, B8, B9, 81, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d1a760 12 bytes [48, B8, 39, 7E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d3f501 11 bytes [B8, B9, DC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d3f701 11 bytes [B8, 39, D9, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d3f731 8 bytes [B8, 39, D2, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d3f73a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcce1861 11 bytes [B8, 79, 52, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcce2db1 11 bytes [B8, 79, B4, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcce3461 11 bytes [B8, 39, B6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcce5370 12 bytes [48, B8, F9, E1, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcce5eb1 11 bytes [B8, B9, E3, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcce8f20 12 bytes [48, B8, B9, 50, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcce97a1 11 bytes [B8, F9, FD, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefccea0e1 11 bytes [B8, 39, E0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcceaec0 12 bytes [48, B8, B9, B2, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcceca31 11 bytes [B8, F9, B0, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefccf37d1 11 bytes [B8, F9, 4E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcd14310 12 bytes [48, B8, B9, 42, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcd20bd1 11 bytes [B8, B9, CE, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcd22831 8 bytes [B8, 39, 23, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcd2283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcd22871 11 bytes [B8, F9, 40, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe6a642d 11 bytes [B8, 39, 5B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe6a6484 12 bytes [48, B8, F9, 55, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe6a6519 11 bytes [B8, 39, 62, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe6a6c34 12 bytes [48, B8, 39, 54, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe6a7ab5 11 bytes [B8, F9, 5C, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe6a8b01 11 bytes [B8, B9, 57, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe6a8c39 11 bytes [B8, 79, 59, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff00ae81 11 bytes [B8, F9, F6, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff00aee1 11 bytes [B8, 79, E5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff00e6e9 11 bytes [B8, 39, FC, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff01048d 11 bytes [B8, 39, E7, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff010579 11 bytes [B8, 39, F5, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff0105b1 11 bytes [B8, B9, F8, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007feff0105f9 5 bytes [B8, 79, FA, 4F, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff024e21 11 bytes [B8, F9, 12, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff025538 12 bytes [48, B8, B9, 6C, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff03b9c1 7 bytes [B8, B9, EA, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff03b9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff03ba4c 12 bytes [48, B8, F9, 6A, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff03bbc0 12 bytes [48, B8, 79, 60, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff03bc2c 12 bytes [48, B8, B9, 5E, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!CreateWindowExA 0000000076bba2e0 12 bytes [48, B8, 39, 93, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!CallNextHookEx + 1 0000000076bbbae1 11 bytes [B8, F9, 86, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowW + 1 0000000076bbd265 7 bytes [B8, 79, BB, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowW + 9 0000000076bbd26d 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000076bbd440 6 bytes [48, B8, B9, 88, 4F, 75] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8 0000000076bbd448 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1 0000000076bbf875 7 bytes [B8, 79, 21, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9 0000000076bbf87d 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!CreateWindowExW 0000000076bc0810 12 bytes [48, B8, 79, 91, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!ShowWindow 0000000076bc1930 6 bytes [48, B8, F9, 94, 4F, 75] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!ShowWindow + 8 0000000076bc1938 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!PeekMessageA + 1 0000000076bc3a19 11 bytes [B8, F9, 71, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076bc4d4c 12 bytes [48, B8, 39, 3F, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!GetMessageA + 1 0000000076bc6111 11 bytes [B8, 79, 6E, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!SetWindowTextW + 1 0000000076bc7055 11 bytes [B8, 79, 9F, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!PeekMessageW + 1 0000000076bc8fd1 11 bytes [B8, B9, 73, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!GetMessageW 0000000076bc9e74 12 bytes [48, B8, 39, 70, 4F, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1 0000000076bca2c9 11 bytes [B8, B9, 14, 50, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1 0000000076bd4efd 11 bytes [B8, 79, 98, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1 0000000076bd7469 11 bytes [B8, B9, 96, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowA + 1 0000000076bd8271 7 bytes [B8, F9, B7, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowA + 9 0000000076bd8279 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1 0000000076bd8c21 8 bytes [B8, B9, 1F, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10 0000000076bd8c2a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowExW + 1 0000000076bd8d21 7 bytes [B8, 39, BD, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowExW + 9 0000000076bd8d29 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!MessageBoxExA + 1 0000000076c21371 11 bytes [B8, 39, 9A, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!MessageBoxExW + 1 0000000076c21395 11 bytes [B8, F9, 9B, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!SetWindowTextA + 1 0000000076c2d379 11 bytes [B8, B9, 9D, 4F, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowExA + 1 0000000076c2dae1 7 bytes [B8, B9, B9, 4F, 75, 00, 00] .text C:\Windows\System32\svchost.exe[5304] C:\Windows\system32\USER32.dll!FindWindowExA + 9 0000000076c2dae9 3 bytes [00, 50, C3] .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 0000000076fcf93c 5 bytes JMP 0000000173416911 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000076fcf974 5 bytes JMP 0000000173417881 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fcfa2c 5 bytes JMP 0000000173415e61 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076fcfb74 5 bytes JMP 0000000173415871 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000076fcfbf4 5 bytes JMP 0000000173417459 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000076fcfc6c 5 bytes JMP 00000001734131d9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fcfc9c 5 bytes JMP 00000001734115f1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000076fcfccc 5 bytes JMP 0000000173411689 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fcfcfc 5 bytes JMP 00000001734157d9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fcfe14 5 bytes JMP 00000001734177e9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fcfe60 5 bytes JMP 00000001734130a9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000076fcfe90 5 bytes JMP 0000000173413309 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fcff0c 5 bytes JMP 00000001734167e1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000076fcff70 5 bytes JMP 0000000173413271 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076fcfff0 5 bytes JMP 0000000173417919 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000076fd0038 5 bytes JMP 0000000173412ee1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076fd0050 5 bytes JMP 0000000173412db1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076fd0100 5 bytes JMP 0000000173411ed9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000076fd0210 5 bytes JMP 0000000173412301 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fd07e8 5 bytes JMP 0000000173417751 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000076fd0860 5 bytes JMP 0000000173412e49 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076fd08f0 5 bytes JMP 0000000173412d19 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076fd0e40 5 bytes JMP 0000000173415ef9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000076fd110c 5 bytes JMP 00000001734173c1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000076fd1650 5 bytes JMP 0000000173414ac9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fd196c 5 bytes JMP 0000000173413141 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076fd1c30 5 bytes JMP 0000000173415f91 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000076fd1da0 5 bytes JMP 0000000173413439 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076fd1dbc 5 bytes JMP 00000001734133a1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076fd1dd8 5 bytes JMP 00000001734179b1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000076fd1f34 5 bytes JMP 0000000173417589 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000076fe4964 5 bytes JMP 0000000173411ab1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000076ff0fe1 5 bytes JMP 00000001734174f1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077010f4b 5 bytes JMP 0000000173412009 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770588cf 5 bytes JMP 0000000173414b61 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007705eb6b 5 bytes JMP 0000000173411f71 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075860e00 5 bytes JMP 0000000173411da9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075861072 5 bytes JMP 0000000173412a21 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007586498f 5 bytes JMP 00000001734125f9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075873bab 5 bytes JMP 0000000173413011 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075879aa4 5 bytes JMP 0000000173416749 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075879b05 5 bytes JMP 00000001734164e9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075887327 5 bytes JMP 0000000173412729 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000758888da 5 bytes JMP 0000000173415dc9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007588ccb1 5 bytes JMP 00000001734163b9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007588ccd1 5 bytes JMP 0000000173416619 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!WinExec 00000000758e3051 5 bytes JMP 00000001734128f1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007590751b 5 bytes JMP 00000001734146a1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007590753e 5 bytes JMP 00000001734147d1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000759078e9 5 bytes JMP 0000000173414901 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075907962 5 bytes JMP 0000000173414a31 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000769f8f8d 5 bytes JMP 0000000173411a19 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000769fc436 5 bytes JMP 0000000173413b59 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 00000000769fd0af 5 bytes JMP 0000000173416879 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000769feca6 5 bytes JMP 0000000173413601 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000769ff206 5 bytes JMP 0000000173412399 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000769ffa89 5 bytes JMP 0000000173411e41 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000769ffbb7 5 bytes JMP 0000000173416289 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076a01358 5 bytes JMP 0000000173413ac1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076a0137f 5 bytes JMP 0000000173413a29 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076a01d29 5 bytes JMP 0000000173411981 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076a01e15 5 bytes JMP 00000001734124c9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076a02ab1 5 bytes JMP 00000001734159a1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076a02cdf 5 bytes JMP 0000000173415909 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076a02d1d 5 bytes JMP 0000000173415a39 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076a02e80 5 bytes JMP 00000001734118e9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076a03b76 5 bytes JMP 0000000173412269 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076a0449c 5 bytes JMP 0000000173412431 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076a0460e 5 bytes JMP 0000000173413569 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076a04637 5 bytes JMP 0000000173412c81 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076a0a217 5 bytes JMP 0000000173416a41 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076a0a500 5 bytes JMP 00000001734169a9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076a0c73a 5 bytes JMP 00000001734127c1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076a0e2a4 5 bytes JMP 0000000173417329 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000768d8e89 5 bytes JMP 0000000173416c09 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000768d9179 5 bytes JMP 0000000173416ad9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000768d9186 5 bytes JMP 00000001734170c9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000768dc4d2 5 bytes JMP 0000000173417291 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000768dc9ec 5 bytes JMP 0000000173413c89 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000768ddeb4 5 bytes JMP 0000000173416b71 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000768dded6 5 bytes JMP 00000001734171f9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000768ddeee 5 bytes JMP 0000000173417031 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000768ddf1e 5 bytes JMP 0000000173417161 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000768e2b50 5 bytes JMP 0000000173413bf1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000768e35fc 5 bytes JMP 00000001734140b1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000768e494d 5 bytes JMP 0000000173417a49 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768f7154 5 bytes JMP 0000000173414311 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768f716c 5 bytes JMP 0000000173413e51 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768f7184 5 bytes JMP 0000000173413ee9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000768f77cb 5 bytes JMP 0000000173416ca1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769133bc 5 bytes JMP 0000000173413f81 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769133cc 5 bytes JMP 0000000173414019 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769133dc 5 bytes JMP 0000000173413d21 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769133ec 5 bytes JMP 0000000173413db9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007691342c 5 bytes JMP 0000000173414279 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007682a472 5 bytes JMP 0000000173417ae1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000768327ce 5 bytes JMP 0000000173411be1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007683e6cf 5 bytes JMP 0000000173411b49 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000749978e2 5 bytes JMP 0000000173414441 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074997bd3 5 bytes JMP 00000001734143a9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074998a29 5 bytes JMP 0000000173414f89 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000749998fd 1 byte JMP 0000000173415c01 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000749998ff 3 bytes {JMP 0xfffffffffea7c304} .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007499b6ed 5 bytes JMP 0000000173417b79 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007499d22e 5 bytes JMP 0000000173415021 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007499ee09 5 bytes JMP 00000001734134d1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007499ffe6 5 bytes JMP 0000000173415ad1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000749a00d9 5 bytes JMP 0000000173415b69 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000749a05ba 5 bytes JMP 0000000173414571 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000749a0dfb 5 bytes JMP 00000001734150b9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000749a12a5 5 bytes JMP 00000001734176b9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000749a20ec 5 bytes JMP 0000000173415449 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000749a3baa 5 bytes JMP 0000000173417621 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000749a5f74 5 bytes JMP 00000001734144d9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000749a6285 5 bytes JMP 0000000173414bf9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000749a7603 5 bytes JMP 0000000173412be9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000749a7aee 5 bytes JMP 00000001734153b1 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000749a835c 5 bytes JMP 0000000173412b51 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000749bce54 5 bytes JMP 00000001734151e9 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000749bf52b 5 bytes JMP 0000000173414c91 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000749bf588 5 bytes JMP 0000000173415c99 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000749c10a0 5 bytes JMP 0000000173415151 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000749efcd6 2 bytes JMP 0000000173415281 .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000749efcd9 2 bytes [A2, FE] .text C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe[6264] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000749efcfa 5 bytes JMP 0000000173415319 ---- Processes - GMER 2.1 ---- Process C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe (*** suspicious ***) @ C:\Users\Jarek76\AppData\Local\Temp\Rar$EXa0.089\gmer.exe [6264](2015-06-29 20:08:27) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{EB5B7320-82B5-4B07-9C51-9728D44F444A}\Connection@Name isatap.{BF20536C-9207-4C56-8155-0971DB370DE0} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{7BF4DBB3-7F96-44F2-A1E8-9E6E4B562331}?\Device\{EB5B7320-82B5-4B07-9C51-9728D44F444A}?\Device\{750F62A0-E5E9-4BE5-B44A-053400040F4B}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{7BF4DBB3-7F96-44F2-A1E8-9E6E4B562331}"?"{EB5B7320-82B5-4B07-9C51-9728D44F444A}"?"{750F62A0-E5E9-4BE5-B44A-053400040F4B}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{7BF4DBB3-7F96-44F2-A1E8-9E6E4B562331}?\Device\TCPIP6TUNNEL_{EB5B7320-82B5-4B07-9C51-9728D44F444A}?\Device\TCPIP6TUNNEL_{750F62A0-E5E9-4BE5-B44A-053400040F4B}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{EB5B7320-82B5-4B07-9C51-9728D44F444A}@InterfaceName isatap.{BF20536C-9207-4C56-8155-0971DB370DE0} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{EB5B7320-82B5-4B07-9C51-9728D44F444A}@ReusableType 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice@Progid IE.AssocFile.PARTIAL Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice@Progid IE.AssocFile.SVG Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice@Progid IE.AssocFile.WEBSITE Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice@Progid WMP11.AssocFile.WMD Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice@Progid WMP11.AssocFile.WMS Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice@Progid WMP11.AssocFile.WMZ Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice@Progid FirefoxHTML Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice@Progid FirefoxHTML ---- EOF - GMER 2.1 ----