GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-03 19:39:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000069 WDC_WD50 rev.01.0 465,76GB Running: ockq3kzv.exe; Driver: C:\Users\Giant\AppData\Local\Temp\pwddqkod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000165300 7 bytes [00, 6D, F3, FF, C1, 7B, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000165308 3 bytes [C0, 06, 02] .text ... * 109 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 320 fffff9600022d6c8 15 bytes [48, B8, 2C, 1A, A9, 03, 80, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 03] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 03] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 03] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 03] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 03] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 03] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 03, 00] .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!CallNextHookEx + 1 0000000076dabae1 14 bytes [B8, 80, 7A, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetAsyncKeyState + 1 0000000076dac721 18 bytes [B8, BC, 75, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!PostThreadMessageW + 121 0000000076db0bed 12 bytes [B8, B8, 80, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!PeekMessageA + 1 0000000076db3a19 14 bytes [B8, A8, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!IsProcessDPIAware + 376 0000000076db483c 15 bytes [48, B8, 94, 7F, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetKeyState + 1 0000000076db5011 18 bytes [B8, BC, 76, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetMessageA + 1 0000000076db6111 14 bytes [B8, 08, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!PeekMessageW + 1 0000000076db8fd1 14 bytes [B8, 00, 11, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetMessageW 0000000076db9e74 12 bytes [48, B8, 58, 10, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetLastActivePopup + 93 0000000076dc89a9 14 bytes [B8, F4, A7, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076dc8a10 6 bytes [48, B8, BC, 77, 03, 00] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetKeyboardState + 8 0000000076dc8a18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetRawInputData 0000000076dcb000 6 bytes [48, B8, 80, 74, 03, 00] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetRawInputData + 8 0000000076dcb008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!EndTask + 1 0000000076df1605 17 bytes [B8, 34, 22, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[440] C:\Windows\system32\USER32.dll!GetRawInputBuffer + 1 0000000076e05091 12 bytes [B8, 54, 75, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 03] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 03] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 03] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 03] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 03] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 03] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 03, 00] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!CallNextHookEx + 1 0000000076dabae1 14 bytes [B8, 80, 7A, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetAsyncKeyState + 1 0000000076dac721 18 bytes [B8, BC, 75, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!PostThreadMessageW + 121 0000000076db0bed 12 bytes [B8, B8, 80, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!PeekMessageA + 1 0000000076db3a19 14 bytes [B8, A8, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!IsProcessDPIAware + 376 0000000076db483c 15 bytes [48, B8, 94, 7F, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetKeyState + 1 0000000076db5011 18 bytes [B8, BC, 76, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetMessageA + 1 0000000076db6111 14 bytes [B8, 08, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!PeekMessageW + 1 0000000076db8fd1 14 bytes [B8, 00, 11, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetMessageW 0000000076db9e74 12 bytes [48, B8, 58, 10, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetLastActivePopup + 93 0000000076dc89a9 14 bytes [B8, F4, A7, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076dc8a10 6 bytes [48, B8, BC, 77, 03, 00] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetKeyboardState + 8 0000000076dc8a18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetRawInputData 0000000076dcb000 6 bytes [48, B8, 80, 74, 03, 00] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetRawInputData + 8 0000000076dcb008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!EndTask + 1 0000000076df1605 17 bytes [B8, 34, 22, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[528] C:\Windows\system32\USER32.dll!GetRawInputBuffer + 1 0000000076e05091 12 bytes [B8, 54, 75, 03, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 01, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 01, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 01] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 01] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 01] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 01] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 01] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 01] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 01, 00] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007feff06dcb1 14 bytes [B8, 84, 92, 01, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 8 bytes [48, B8, F4, 91, 01, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007feff08721a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007feff092b29 14 bytes [B8, F4, 92, 01, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1812] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefd3a1c80 14 bytes [48, B8, 30, A8, 01, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 06] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 06] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 06] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 06] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 06] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 06] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 06, 00] .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\kernel32.dll!VirtualProtectEx + 1 0000000076eebf81 13 bytes [B8, 84, 14, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007feff06dcb1 14 bytes [B8, 84, 92, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 8 bytes [48, B8, F4, 91, 06, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007feff08721a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007feff092b29 14 bytes [B8, F4, 92, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefd3a1c80 14 bytes [48, B8, 30, A8, 06, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\samcli.dll!NetUserSetInfo + 1 000007fefa4868bd 1 byte [B8] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\samcli.dll!NetUserSetInfo + 3 000007fefa4868bf 12 bytes [26, 06, 00, 00, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\samcli.dll!NetUserChangePassword 000007fefa487e18 15 bytes [48, B8, 7C, 27, 06, 00, 00, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtClose + 1 00000000771bf9e1 3 bytes [0B, 1D, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtClose + 5 00000000771bf9e5 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000771c00b5 3 bytes [08, 1A, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771c00b9 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 1 00000000771c0389 3 bytes [68, 1C, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 5 00000000771c038d 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000771c03b9 3 bytes [96, 19, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000771c03bd 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 1 00000000771c03d1 3 bytes [E0, 1B, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 5 00000000771c03d5 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 1 00000000771c0551 3 bytes [34, 1D, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 00000000771c0555 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 00000000771c0695 3 bytes [E2, 19, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 00000000771c0699 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000771c18c1 3 bytes [BC, 19, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000771c18c5 2 bytes [50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000771ddffe 7 bytes [B8, B3, 75, 19, 00, 50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771df7fd 10 bytes [B8, 05, 83, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074f24322 7 bytes JMP 00000001001911e5 .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000074fa4d6a 7 bytes JMP 0000000100191229 .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075f678e2 8 bytes [B8, 8D, 1D, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075f67bd3 8 bytes [B8, 45, 1D, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f68332 7 bytes [B8, DD, 18, 19, 00, 50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!RegisterClassW + 237 0000000075f68b52 8 bytes [B8, 96, 5B, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075f705ba 11 bytes [B8, 20, 1E, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f7291f 11 bytes [B8, 94, 76, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075f75f74 11 bytes [B8, D5, 1D, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f76110 7 bytes [B8, B7, 18, 19, 00, 50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075f76285 12 bytes [B8, E2, 77, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!ScrollWindowEx + 84 0000000075f8d5bf 8 bytes [B8, 44, 73, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f8eb96 7 bytes [B8, E7, 75, 19, 00, 50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075f8ec69 3 bytes [41, 77, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075f8ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075fb816c 11 bytes [B8, 7A, 56, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075fc8370 3 bytes [DD, 55, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075fc8374 5 bytes [50, C3, 90, 90, 90] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!EndTask + 1 0000000075fca7ef 3 bytes [4F, 19, 19] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\USER32.dll!EndTask + 5 0000000075fca7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000750c548d 10 bytes [B8, D7, 69, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000750d9cff 8 bytes [B8, 53, 86, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000750d9d42 9 bytes [B8, B1, 69, 19, 00, 50, C3, ...] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\MSCTF.dll!TF_Notify 0000000076073a1d 7 bytes [B8, 71, 73, 19, 00, 50, C3] .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769a1401 2 bytes JMP 74f4b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769a1419 2 bytes JMP 74f4b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769a1431 2 bytes JMP 74fc9099 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769a144a 2 bytes CALL 74f248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769a14dd 2 bytes JMP 74fc898f C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769a14f5 2 bytes JMP 74fc8b68 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769a150d 2 bytes JMP 74fc8885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769a1525 2 bytes JMP 74fc8c52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769a153d 2 bytes JMP 74f3fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769a1555 2 bytes JMP 74f46937 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769a156d 2 bytes JMP 74fc9151 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769a1585 2 bytes JMP 74fc8cb2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769a159d 2 bytes JMP 74fc8849 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769a15b5 2 bytes JMP 74f3fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769a15cd 2 bytes JMP 74f4b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769a16b2 2 bytes JMP 74fc9014 C:\Windows\syswow64\kernel32.dll .text C:\Users\Giant\AppData\Local\FluxSoftware\Flux\flux.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769a16bd 2 bytes JMP 74fc87de C:\Windows\syswow64\kernel32.dll .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtClose + 1 00000000771bf9e1 3 bytes [0B, 1D, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtClose + 5 00000000771bf9e5 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000771c00b5 3 bytes [08, 1A, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771c00b9 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 1 00000000771c0389 3 bytes [68, 1C, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 5 00000000771c038d 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000771c03b9 3 bytes [96, 19, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000771c03bd 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 1 00000000771c03d1 3 bytes [E0, 1B, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 5 00000000771c03d5 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 1 00000000771c0551 3 bytes [34, 1D, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 00000000771c0555 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 00000000771c0695 3 bytes [E2, 19, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 00000000771c0699 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000771c18c1 3 bytes [BC, 19, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000771c18c5 2 bytes [50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000771ddffe 7 bytes [B8, B3, 75, 05, 00, 50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771df7fd 10 bytes [B8, 05, 83, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074f24322 7 bytes JMP 00000001000511e5 .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000074fa4d6a 7 bytes JMP 0000000100051229 .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075f678e2 8 bytes [B8, 8D, 1D, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075f67bd3 8 bytes [B8, 45, 1D, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f68332 7 bytes [B8, DD, 18, 05, 00, 50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!RegisterClassW + 237 0000000075f68b52 8 bytes [B8, 96, 5B, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075f705ba 11 bytes [B8, 20, 1E, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f7291f 11 bytes [B8, 94, 76, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075f75f74 11 bytes [B8, D5, 1D, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f76110 7 bytes [B8, B7, 18, 05, 00, 50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075f76285 12 bytes [B8, E2, 77, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!ScrollWindowEx + 84 0000000075f8d5bf 8 bytes [B8, 44, 73, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f8eb96 7 bytes [B8, E7, 75, 05, 00, 50, C3] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075f8ec69 3 bytes [41, 77, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075f8ec6d 5 bytes [50, C3, 90, 90, 90] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075fb816c 11 bytes [B8, 7A, 56, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075fc8370 3 bytes [DD, 55, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075fc8374 5 bytes [50, C3, 90, 90, 90] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!EndTask + 1 0000000075fca7ef 3 bytes [4F, 19, 05] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\USER32.dll!EndTask + 5 0000000075fca7f3 5 bytes [50, C3, 90, 90, 90] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000750c548d 10 bytes [B8, D7, 69, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000750d9cff 8 bytes [B8, 53, 86, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000750d9d42 9 bytes [B8, B1, 69, 05, 00, 50, C3, ...] .text D:\Dokumenty\KeeP\KeePass.exe[2540] C:\Windows\syswow64\MSCTF.dll!TF_Notify 0000000076073a1d 7 bytes [B8, 71, 73, 05, 00, 50, C3] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 1E, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 1E, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 1E, 00] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\system32\kernel32.dll!VirtualProtectEx + 1 0000000076eebf81 13 bytes [B8, 84, 14, 1E, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007feff06dcb1 14 bytes [B8, 84, 92, 1E, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 8 bytes [48, B8, F4, 91, 1E, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007feff08721a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007feff092b29 14 bytes [B8, F4, 92, 1E, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[2876] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefd3a1c80 14 bytes [48, B8, 30, A8, 1E, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 06] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 06] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 06] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 06] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 06] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 06] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 06, 00] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007feff06dcb1 14 bytes [B8, 84, 92, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 8 bytes [48, B8, F4, 91, 06, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007feff08721a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007feff092b29 14 bytes [B8, F4, 92, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefd3a1c80 14 bytes [48, B8, 30, A8, 06, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\SAMCLI.DLL!NetUserSetInfo + 1 000007fefa4868bd 1 byte [B8] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\SAMCLI.DLL!NetUserSetInfo + 3 000007fefa4868bf 12 bytes [26, 06, 00, 00, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieSvc.exe[1728] C:\Windows\system32\SAMCLI.DLL!NetUserChangePassword 000007fefa487e18 15 bytes [48, B8, 7C, 27, 06, 00, 00, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!RtlAdjustPrivilege 0000000076fca0c0 6 bytes {JMP QWORD [RIP-0x24a0c6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe22f0 2 bytes JMP 00000001749f7f40 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 3 0000000076fe22f3 2 bytes [A1, FD] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe6290 5 bytes JMP 00000001749f7e50 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076fea430 5 bytes JMP 0000000100060830 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx 0000000076ff5140 5 bytes JMP 00000001749fcad0 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!RtlGetCurrentDirectory_U 0000000077005d20 5 bytes JMP 00000001749d6710 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!RtlSetCurrentDirectory_U 0000000077006050 5 bytes JMP 00000001749d6980 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryElevationFlags 0000000077006440 5 bytes JMP 0000000174a077d0 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrQueryImageFileExecutionOptions 00000000770066e0 5 bytes JMP 00000001749f8000 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter 000000007700be60 6 bytes [51, 48, B8, 00, 12, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter + 8 000000007700be68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForSingleObject + 8 000000007700be78 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 000000007700be90 6 bytes JMP 00000001749cd390 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 000000007700be98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9c38} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 000000007700bea8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c1608} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 000000007700beb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletion + 8 000000007700bec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseSemaphore + 8 000000007700bed8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 8 000000007700bee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort + 8 000000007700bef8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda009c8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007700bf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetEvent + 8 000000007700bf18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee18} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee188} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 8 000000007700bf38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce818} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationFile + 8 000000007700bf48 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea6a8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 000000007700bf58 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea228} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey + 8 000000007700bf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFindAtom + 8 000000007700bf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultLocale + 8 000000007700bf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eaac8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryKey + 8 000000007700bf98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9ee8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey + 8 000000007700bfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 000000007700bfb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f1748} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 000000007700bfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects32 + 8 000000007700bfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather + 8 000000007700bfe8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f16f8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 000000007700bff8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9568} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 000000007700c008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory + 8 000000007700c018 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ded68} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort + 8 000000007700c028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseMutant + 8 000000007700c038 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb678} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 000000007700c048 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df348} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 000000007700c058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee2b8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory + 8 000000007700c068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007700c078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 000000007700c088 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbef8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007700c098 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cf2f8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007700c0a8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckAndAuditAlarm 000000007700c0c0 6 bytes [51, 48, B8, 60, 14, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckAndAuditAlarm + 8 000000007700c0c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007700c0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 8 000000007700c0e8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority 000000007700c100 6 bytes [51, 48, B8, A0, 14, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority + 8 000000007700c108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter + 8 000000007700c118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007700c128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007700c138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPerformanceCounter + 8 000000007700c148 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e98a8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey + 8 000000007700c158 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee48} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007700c168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDelayExecution + 8 000000007700c178 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9b28} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 000000007700c188 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01db8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 000000007700c198 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1c28} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 000000007700c1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimer + 8 000000007700c1b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc258} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile + 8 000000007700c1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 000000007700c1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCloseObjectAuditAlarm + 8 000000007700c1e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbe68} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 000000007700c1f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cb5e8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007700c208 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtClearEvent + 8 000000007700c218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 000000007700c228 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1178} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 000000007700c238 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb568} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 000000007700c248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateToken + 8 000000007700c258 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage 000000007700c270 6 bytes [51, 48, B8, 10, 16, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage + 8 000000007700c278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 000000007700c288 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom 000000007700c2a0 6 bytes [51, 48, B8, 40, 16, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom + 8 000000007700c2a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0f28} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 000000007700c2b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc5e8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVolumeInformationFile + 8 000000007700c2c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e18a8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 000000007700c2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile + 8 000000007700c2e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtApphelpCacheControl + 8 000000007700c2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 000000007700c308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 000000007700c318 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtIsProcessInJob + 8 000000007700c328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 000000007700c338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySection + 8 000000007700c348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 000000007700c358 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData 000000007700c370 6 bytes [51, 48, B8, 10, 17, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData + 8 000000007700c378 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cec78} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEvent + 8 000000007700c398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteRequestData + 8 000000007700c3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 000000007700c3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeAndAuditAlarm + 8 000000007700c3c8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects 000000007700c3e0 6 bytes [51, 48, B8, 80, 17, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects + 8 000000007700c3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 000000007700c3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFile + 8 000000007700c408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01878} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTraceEvent + 8 000000007700c418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPowerInformation + 8 000000007700c428 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7f68} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 000000007700c438 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCancelTimer + 8 000000007700c448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimer + 8 000000007700c458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAcceptConnectPort + 8 000000007700c468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheck + 8 000000007700c478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType + 8 000000007700c488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultList + 8 000000007700c498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarm + 8 000000007700c4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarmByHandle + 8 000000007700c4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 8 000000007700c4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAddDriverEntry + 8 000000007700c4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustGroupsToken + 8 000000007700c4e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlertResumeThread + 8 000000007700c4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlertThread + 8 000000007700c508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateLocallyUniqueId + 8 000000007700c518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateReserveObject + 8 000000007700c528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUserPhysicalPages + 8 000000007700c538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUuids + 8 000000007700c548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCancelMessage + 8 000000007700c568 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0458} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e02d8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePortSection + 8 000000007700c598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateResourceReserve + 8 000000007700c5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSectionView + 8 000000007700c5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSecurityContext + 8 000000007700c5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeletePortSection + 8 000000007700c5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteResourceReserve + 8 000000007700c5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSectionView + 8 000000007700c5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSecurityContext + 8 000000007700c608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDisconnectPort + 8 000000007700c618 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de788} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort + 8 000000007700c628 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderProcess + 8 000000007700c638 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderThread + 8 000000007700c648 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de438} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformation + 8 000000007700c658 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de458} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformationMessage + 8 000000007700c668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcRevokeSecurityContext + 8 000000007700c678 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9deee8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSetInformation + 8 000000007700c698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAreMappedFilesTheSame + 8 000000007700c6a8 9 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 2 000000007700c6b2 4 bytes {JMP 0xfffffffffda01990} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 8 000000007700c6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFileEx + 8 000000007700c6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCancelSynchronousIoFile + 8 000000007700c6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCommitComplete + 8 000000007700c6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCommitEnlistment + 8 000000007700c6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction + 8 000000007700c708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCompactKeys + 8 000000007700c718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCompareTokens + 8 000000007700c728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCompleteConnectPort + 8 000000007700c738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCompressKey + 8 000000007700c748 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9dfba8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDebugObject + 8 000000007700c768 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDirectoryObject + 8 000000007700c778 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEnlistment + 8 000000007700c788 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair + 8 000000007700c798 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 000000007700c7a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda015c8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobObject + 8 000000007700c7b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobSet + 8 000000007700c7c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyTransacted + 8 000000007700c7d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 000000007700c7e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8dd8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMailslotFile + 8 000000007700c7f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0d18} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 000000007700c808 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8f78} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 000000007700c818 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 000000007700c828 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df908} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 8 000000007700c838 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePrivateNamespace + 8 000000007700c848 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 000000007700c858 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 000000007700c868 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 000000007700c878 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateResourceManager + 8 000000007700c888 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0fa8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 000000007700c898 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 000000007700c8a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 000000007700c8b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 000000007700c8c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateToken + 8 000000007700c8d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction + 8 000000007700c8e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransactionManager + 8 000000007700c8f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 000000007700c908 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort + 8 000000007700c918 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWorkerFactory + 8 000000007700c928 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 000000007700c938 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugContinue + 8 000000007700c948 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteAtom + 8 000000007700c958 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry + 8 000000007700c968 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteDriverEntry + 8 000000007700c978 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce958} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 000000007700c988 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea0e8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey + 8 000000007700c998 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteObjectAuditAlarm + 8 000000007700c9a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeletePrivateNamespace + 8 000000007700c9b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9f38} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 000000007700c9c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDisableLastKnownGood + 8 000000007700c9d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDisplayString + 8 000000007700c9e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDrawText + 8 000000007700c9f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtEnableLastKnownGood + 8 000000007700ca08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateBootEntries + 8 000000007700ca18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateDriverEntries + 8 000000007700ca28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateSystemEnvironmentValuesEx + 8 000000007700ca38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateTransactionObject + 8 000000007700ca48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtExtendSection + 8 000000007700ca58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFilterToken + 8 000000007700ca68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstallUILanguage + 8 000000007700ca78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstructionCache + 8 000000007700ca88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFlushKey + 8 000000007700ca98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFlushProcessWriteBuffers + 8 000000007700caa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFlushVirtualMemory + 8 000000007700cab8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFlushWriteBuffer + 8 000000007700cac8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFreeUserPhysicalPages + 8 000000007700cad8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeRegistry + 8 000000007700cae8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeTransactions + 8 000000007700caf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 8 000000007700cb08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetCurrentProcessorNumber + 8 000000007700cb18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetDevicePowerState + 8 000000007700cb28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetMUIRegistryInfo + 8 000000007700cb38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 000000007700cb48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 000000007700cb58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetNlsSectionPtr + 8 000000007700cb68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetNotificationResourceManager + 8 000000007700cb78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetPlugPlayEvent + 8 000000007700cb88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtGetWriteWatch + 8 000000007700cb98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de238} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateAnonymousToken + 8 000000007700cba8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de268} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateThread + 8 000000007700cbb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeNlsFiles + 8 000000007700cbc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeRegistry + 8 000000007700cbd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtInitiatePowerAction + 8 000000007700cbe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtIsSystemResumeAutomatic + 8 000000007700cbf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtIsUILanguageComitted + 8 000000007700cc08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtListenPort + 8 000000007700cc18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eb938} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 000000007700cc28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6d28} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey + 8 000000007700cc38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey2 + 8 000000007700cc48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKeyEx + 8 000000007700cc58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLockFile + 8 000000007700cc68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLockProductActivationKeys + 8 000000007700cc78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLockRegistryKey + 8 000000007700cc88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLockVirtualMemory + 8 000000007700cc98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtMakePermanentObject + 8 000000007700cca8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 8 000000007700ccb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtMapCMFModule + 8 000000007700ccc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPages + 8 000000007700ccd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 8 000000007700cce8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyDriverEntry + 8 000000007700ccf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeDirectoryFile + 8 000000007700cd08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7838} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 8 000000007700cd18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 8 000000007700cd28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeSession + 8 000000007700cd38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEnlistment + 8 000000007700cd48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 8 000000007700cd58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 000000007700cd68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenJobObject + 8 000000007700cd78 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e87b8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 000000007700cd88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransacted + 8 000000007700cd98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransactedEx + 8 000000007700cda8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 000000007700cdb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0908} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 000000007700cdc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenObjectAuditAlarm + 8 000000007700cdd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenPrivateNamespace + 8 000000007700cde8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007700cdf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenResourceManager + 8 000000007700ce08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0bf8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 000000007700ce18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSession + 8 000000007700ce28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 000000007700ce38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa5e8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007700ce48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 000000007700ce58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransaction + 8 000000007700ce68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransactionManager + 8 000000007700ce78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPlugPlayControl + 8 000000007700ce88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareComplete + 8 000000007700ce98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareEnlistment + 8 000000007700cea8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareComplete + 8 000000007700ceb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareEnlistment + 8 000000007700cec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeCheck + 8 000000007700ced8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeObjectAuditAlarm + 8 000000007700cee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegedServiceAuditAlarm + 8 000000007700cef8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationComplete + 8 000000007700cf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationFailed + 8 000000007700cf18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtPulseEvent + 8 000000007700cf28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootEntryOrder + 8 000000007700cf38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootOptions + 8 000000007700cf48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDebugFilterState + 8 000000007700cf58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryObject + 8 000000007700cf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDriverEntryOrder + 8 000000007700cf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEaFile + 8 000000007700cf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ca8a8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007700cf98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationAtom + 8 000000007700cfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationEnlistment + 8 000000007700cfb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationJobObject + 8 000000007700cfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationPort + 8 000000007700cfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationResourceManager + 8 000000007700cfe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransaction + 8 000000007700cff8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransactionManager + 8 000000007700d008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationWorkerFactory + 8 000000007700d018 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInstallUILanguage + 8 000000007700d028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 000000007700d038 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIoCompletion + 8 000000007700d048 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue + 8 000000007700d058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9308} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 8 000000007700d068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMutant + 8 000000007700d078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeys + 8 000000007700d088 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeysEx + 8 000000007700d098 12 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 5 000000007700d0a5 1 byte [06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 8 000000007700d0a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryQuotaInformationFile + 8 000000007700d0b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityAttributesToken + 8 000000007700d0c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa3c8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject + 8 000000007700d0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySemaphore + 8 000000007700d0e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySymbolicLinkObject + 8 000000007700d0f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValue + 8 000000007700d108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx + 8 000000007700d118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformationEx + 8 000000007700d128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimerResolution + 8 000000007700d138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 000000007700d148 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007700d160 6 bytes [51, 48, B8, 00, 25, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 000000007700d168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReadOnlyEnlistment + 8 000000007700d178 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverEnlistment + 8 000000007700d188 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverResourceManager + 8 000000007700d198 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverTransactionManager + 8 000000007700d1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterProtocolAddressInformation + 8 000000007700d1b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterThreadTerminatePort + 8 000000007700d1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseKeyedEvent + 8 000000007700d1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseWorkerFactoryWorker + 8 000000007700d1e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletionEx + 8 000000007700d1f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveProcessDebug + 8 000000007700d208 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRenameKey + 8 000000007700d218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRenameTransactionManager + 8 000000007700d228 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplaceKey + 8 000000007700d238 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplacePartitionUnit + 8 000000007700d248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReplyPort + 8 000000007700d258 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRequestPort + 8 000000007700d268 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtResetEvent + 8 000000007700d278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtResetWriteWatch + 8 000000007700d288 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRestoreKey + 8 000000007700d298 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess + 8 000000007700d2a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackComplete + 8 000000007700d2b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackEnlistment + 8 000000007700d2c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction + 8 000000007700d2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtRollforwardTransactionManager + 8 000000007700d2e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6658} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKey + 8 000000007700d2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKeyEx + 8 000000007700d308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSaveMergedKeys + 8 000000007700d318 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df218} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSerializeBoot + 8 000000007700d338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 8 000000007700d348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 8 000000007700d358 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 000000007700d368 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetDebugFilterState + 8 000000007700d378 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultHardErrorPort + 8 000000007700d388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultLocale + 8 000000007700d398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultUILanguage + 8 000000007700d3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetDriverEntryOrder + 8 000000007700d3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetEaFile + 8 000000007700d3c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighEventPair + 8 000000007700d3d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighWaitLowEventPair + 8 000000007700d3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationDebugObject + 8 000000007700d3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationEnlistment + 8 000000007700d408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda00c78} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationJobObject + 8 000000007700d418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationKey + 8 000000007700d428 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationResourceManager + 8 000000007700d438 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa338} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationToken + 8 000000007700d448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction + 8 000000007700d458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransactionManager + 8 000000007700d468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationWorkerFactory + 8 000000007700d478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 000000007700d488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletion + 8 000000007700d498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletionEx + 8 000000007700d4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetLdtEntries + 8 000000007700d4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowEventPair + 8 000000007700d4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowWaitHighEventPair + 8 000000007700d4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetQuotaInformationFile + 8 000000007700d4e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa0c8} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject + 8 000000007700d4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValue + 8 000000007700d508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx + 8 000000007700d518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 000000007700d528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 8 000000007700d538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime + 8 000000007700d548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetThreadExecutionState + 8 000000007700d558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerEx + 8 000000007700d568 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerResolution + 8 000000007700d578 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetUuidSeed + 8 000000007700d588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetVolumeInformationFile + 8 000000007700d598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 8 000000007700d5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownWorkerFactory + 8 000000007700d5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSignalAndWaitForSingleObject + 8 000000007700d5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSinglePhaseReject + 8 000000007700d5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtStartProfile + 8 000000007700d5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtStopProfile + 8 000000007700d5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 000000007700d608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 000000007700d618 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 000000007700d628 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert 000000007700d640 6 bytes [51, 48, B8, E0, 29, 06] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert + 8 000000007700d648 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtThawRegistry + 8 000000007700d658 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtThawTransactions + 8 000000007700d668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTraceControl + 8 000000007700d678 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTranslateFilePath + 8 000000007700d688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUmsThreadYield + 8 000000007700d698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 000000007700d6a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey + 8 000000007700d6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey2 + 8 000000007700d6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKeyEx + 8 000000007700d6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockFile + 8 000000007700d6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockVirtualMemory + 8 000000007700d6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 000000007700d708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForDebugEvent + 8 000000007700d718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForKeyedEvent + 8 000000007700d728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForWorkViaWorkerFactory + 8 000000007700d738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitHighEventPair + 8 000000007700d748 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWaitLowEventPair + 8 000000007700d758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWorkerFactoryWorkerReady + 8 000000007700d768 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!RtlGetFullPathName_UEx 0000000077010cd0 5 bytes JMP 00000001749d6c20 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\kernel32.dll!CreateActCtxW 0000000076eba180 5 bytes JMP 0000000174a0d000 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ebdae0 5 bytes JMP 00000001749fdc00 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\kernel32.dll!SetLocaleInfoA 0000000076f0f430 5 bytes JMP 00000001749ce280 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\kernel32.dll!AllocConsole 0000000076f25c60 5 bytes JMP 00000001749e19c0 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f2f690 5 bytes JMP 00000001749ce260 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\kernel32.dll!ReplaceFile 0000000076f34390 5 bytes JMP 00000001749daee0 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\kernel32.dll!WinExec 0000000076f3b4b0 5 bytes JMP 00000001749fcc60 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\KERNELBASE.dll!OpenThreadToken 000007fefce21950 6 bytes {JMP QWORD [RIP-0x416be]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\KERNELBASE.dll!SetThreadToken 000007fefce284a0 6 bytes {JMP QWORD [RIP-0x48296]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\KERNELBASE.dll!AccessCheckByType 000007fefce2caf0 6 bytes {JMP QWORD [RIP-0x4c8ee]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\KERNELBASE.dll!CreateFileMappingW 000007fefce30b40 6 bytes {JMP QWORD [RIP-0x50946]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\KERNELBASE.dll!GetFinalPathNameByHandleW 000007fefce39100 6 bytes {JMP QWORD [RIP-0x590fe]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\KERNELBASE.dll!GetTokenInformation 000007fefce3b150 6 bytes {JMP QWORD [RIP-0x5af3e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60250 6 bytes {JMP QWORD [RIP-0x80256]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefd341bd0 6 bytes {JMP QWORD [RIP-0x561946]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!bind 000007fefd341f00 6 bytes {JMP QWORD [RIP-0x561c96]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd3445c1 5 bytes {JMP QWORD [RIP-0x5645ae]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!listen 000007fefd348290 6 bytes {JMP QWORD [RIP-0x56801e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!gethostbyname + 1 000007fefd348df1 5 bytes {JMP QWORD [RIP-0x568b6e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!gethostname 000007fefd34ae20 6 bytes {JMP QWORD [RIP-0x56aba6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!WSANSPIoctl 000007fefd3644c0 6 bytes {JMP QWORD [RIP-0x5844b6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd36e0f0 6 bytes {JMP QWORD [RIP-0x58e0d6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\RPCRT4.dll!RpcBindingInqAuthClientExW 000007fefe6e4d80 6 bytes {JMP QWORD [RIP-0x1904d5e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesW 000007fefe301460 6 bytes {JMP QWORD [RIP-0x1521386]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CloseEventLog + 1 000007fefe309271 5 bytes {JMP QWORD [RIP-0x152920e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!QueryServiceStatusEx 000007fefe309474 6 bytes {JMP QWORD [RIP-0x152940a]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryW 000007fefe30ab20 6 bytes {JMP QWORD [RIP-0x152a986]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExW 000007fefe30eb20 6 bytes {JMP QWORD [RIP-0x152ea86]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!ReportEventW 000007fefe310050 6 bytes {JMP QWORD [RIP-0x152fff6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!LookupAccountNameW 000007fefe310b24 6 bytes {JMP QWORD [RIP-0x153099a]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceW + 1 000007fefe316031 5 bytes {JMP QWORD [RIP-0x1535fee]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!DeregisterEventSource 000007fefe31a5a0 6 bytes {JMP QWORD [RIP-0x153a556]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!RegQueryValueExW 000007fefe31f050 6 bytes {JMP QWORD [RIP-0x153edae]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!RegOpenKeyExW 000007fefe324db0 6 bytes {JMP QWORD [RIP-0x1544b16]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe325548 6 bytes {JMP QWORD [RIP-0x1545446]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameW 000007fefe3256a0 6 bytes {JMP QWORD [RIP-0x15455e6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameW 000007fefe325770 6 bytes {JMP QWORD [RIP-0x15456a6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceA + 1 000007fefe327461 5 bytes {JMP QWORD [RIP-0x1547426]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!QueryServiceObjectSecurity 000007fefe33b2dc 6 bytes {JMP QWORD [RIP-0x155b1fa]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2W 000007fefe33b310 6 bytes {JMP QWORD [RIP-0x155b296]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2A 000007fefe33b330 6 bytes {JMP QWORD [RIP-0x155b2be]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe33b77c 6 bytes {JMP QWORD [RIP-0x155b682]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CreateRestrictedToken 000007fefe33b7fc 6 bytes {JMP QWORD [RIP-0x155b65a]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe33b8f0 3 bytes [FF, 25, 22] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 4 000007fefe33b8f4 2 bytes [AA, FE] .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe33b95c 6 bytes {JMP QWORD [RIP-0x155b852]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredRenameA 000007fefe342d50 6 bytes {JMP QWORD [RIP-0x1562bee]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!GetEffectiveRightsFromAclW 000007fefe345b00 6 bytes {JMP QWORD [RIP-0x1565956]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesA 000007fefe34d170 6 bytes {JMP QWORD [RIP-0x156d09e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExA 000007fefe34d2e0 6 bytes {JMP QWORD [RIP-0x156d24e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusA 000007fefe34d4e0 6 bytes {JMP QWORD [RIP-0x156d45e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusW 000007fefe34d8e0 6 bytes {JMP QWORD [RIP-0x156d856]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!UnlockServiceDatabase 000007fefe34d930 6 bytes {JMP QWORD [RIP-0x156d83e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusW 000007fefe34d9a0 6 bytes {JMP QWORD [RIP-0x156d8f6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusA 000007fefe34dab0 6 bytes {JMP QWORD [RIP-0x156da0e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!LockServiceDatabase 000007fefe34dbc0 6 bytes {JMP QWORD [RIP-0x156dad6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameA 000007fefe34dc40 6 bytes {JMP QWORD [RIP-0x156db8e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameA 000007fefe34dcd0 6 bytes {JMP QWORD [RIP-0x156dc0e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredDeleteW 000007fefe360910 6 bytes {JMP QWORD [RIP-0x158079e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredDeleteA 000007fefe3609d0 6 bytes {JMP QWORD [RIP-0x1580866]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!ReportEventA 000007fefe361cc0 6 bytes {JMP QWORD [RIP-0x1581c6e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryA 000007fefe36c860 6 bytes {JMP QWORD [RIP-0x158c6ce]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsW 000007fefe36d820 6 bytes {JMP QWORD [RIP-0x158d6c6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsA 000007fefe36d950 6 bytes {JMP QWORD [RIP-0x158d7fe]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsW 000007fefe36da80 6 bytes {JMP QWORD [RIP-0x158d936]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsA 000007fefe36db60 6 bytes {JMP QWORD [RIP-0x158da1e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefe36dc60 6 bytes {JMP QWORD [RIP-0x158dade]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefe36dd90 6 bytes {JMP QWORD [RIP-0x158dc16]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredReadW 000007fefe36dec0 6 bytes {JMP QWORD [RIP-0x158dd86]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredReadA 000007fefe36dfd0 6 bytes {JMP QWORD [RIP-0x158de9e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredWriteW 000007fefe36e0e0 6 bytes {JMP QWORD [RIP-0x158dfb6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CredWriteA 000007fefe36e190 6 bytes {JMP QWORD [RIP-0x158e06e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefe370c80 6 bytes {JMP QWORD [RIP-0x1590b66]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe2e642c 5 bytes JMP 000007fefe3255e8 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe2e6484 5 bytes JMP 000007fefe30e870 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe2e6518 5 bytes JMP 000007fefe31ae24 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerW 000007fefe2e659c 5 bytes JMP 000007fefe30e858 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatus 000007fefe2e6730 5 bytes JMP 000007fefe3161ac .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatusEx 000007fefe2e6784 5 bytes JMP 000007fefe309474 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefe2e6824 5 bytes JMP 000007fefe309460 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe2e687c 5 bytes JMP 000007fefe308e94 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerA 000007fefe2e6aa4 5 bytes JMP 000007fefe31a380 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe2e6c34 5 bytes JMP 000007fefe31a36c .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefe2e6d00 5 bytes JMP 000007fefe33b240 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!QueryServiceObjectSecurity 000007fefe2e6d58 5 bytes JMP 000007fefe33b2dc .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2e6e00 5 bytes JMP 000007fefe33b24c .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2e6f2c 5 bytes JMP 000007fefe33b95c .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2e7220 5 bytes JMP 000007fefe33b8f0 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2e739c 5 bytes JMP 000007fefe33b9d4 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2e7538 5 bytes JMP 000007fefe33b9c8 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2e75e8 5 bytes JMP 000007fefe33b77c .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2e790c 5 bytes JMP 000007fefe325548 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2e7ab4 5 bytes JMP 000007fefe3255d4 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigA 000007fefe2e7b04 5 bytes JMP 000007fefe33b2fc .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigW 000007fefe2e7c34 5 bytes JMP 000007fefe30ecac .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2A 000007fefe2e7d78 5 bytes JMP 000007fefe33b330 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2W 000007fefe2e8244 5 bytes JMP 000007fefe33b310 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe2e99e4 5 bytes JMP 000007fefe33b234 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe2e9ac8 5 bytes JMP 000007fefe306e4c .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe2ea51c 5 bytes JMP 000007fefe302c1c .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe2ea530 5 bytes JMP 000007fefe33b2d0 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe2ea5b0 4 bytes JMP 000007fefe308e60 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe2ea5c4 5 bytes JMP 000007fefe33b2c4 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe2ebb28 5 bytes JMP 000007fefe30da10 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe2ebb3c 5 bytes JMP 000007fefe327440 .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExW 000007fefe4c8724 6 bytes {JMP QWORD [RIP-0x16e8542]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\GDI32.dll!GdiAddFontResourceW 000007fefe4ca074 6 bytes {JMP QWORD [RIP-0x16e9eba]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\GDI32.dll!GdiDllInitialize 000007fefe4cae78 6 bytes {JMP QWORD [RIP-0x16eacc6]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\GDI32.dll!RemoveFontResourceExW 000007fefe4d4784 6 bytes {JMP QWORD [RIP-0x16f45c2]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\GDI32.dll!GetFontResourceInfoW + 1 000007fefe4d4845 5 bytes {JMP QWORD [RIP-0x16f467a]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExA 000007fefe4e91f0 6 bytes {JMP QWORD [RIP-0x1709016]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\GDI32.dll!CreateScalableFontResourceW + 1 000007fefe4e9f4d 5 bytes {JMP QWORD [RIP-0x1709d7a]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\IMM32.DLL!ImmAssociateContext 000007fefd241750 6 bytes {JMP QWORD [RIP-0x461566]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\IMM32.DLL!ImmAssociateContextEx 000007fefd248240 6 bytes {JMP QWORD [RIP-0x46804e]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\sxs.dll!SxsInstallW 000007fefcc1ebe0 6 bytes {JMP QWORD [RIP+0x1c163a]} .text C:\Program Files\Sandboxie\SandboxieRpcSs.exe[3876] C:\Windows\system32\SSPICLI.DLL!LsaRegisterLogonProcess + 1 000007fefcb29211 5 bytes JMP 0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlAdjustPrivilege 0000000076fca0c0 6 bytes {JMP QWORD [RIP-0x24a0c6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe22f0 2 bytes JMP 00000001749f7f40 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 3 0000000076fe22f3 2 bytes [A1, FD] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe6290 5 bytes JMP 00000001749f7e50 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076fea430 5 bytes JMP 0000000100030830 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx 0000000076ff5140 5 bytes JMP 00000001749fcad0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlGetCurrentDirectory_U 0000000077005d20 5 bytes JMP 00000001749d6710 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlSetCurrentDirectory_U 0000000077006050 5 bytes JMP 00000001749d6980 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrQueryImageFileExecutionOptions 00000000770066e0 5 bytes JMP 00000001749f8000 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter 000000007700be60 6 bytes [51, 48, B8, 00, 12, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter + 8 000000007700be68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForSingleObject + 8 000000007700be78 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 000000007700be90 6 bytes JMP 00000001749cd390 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 000000007700be98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9c38} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 000000007700bea8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c1608} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 000000007700beb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletion + 8 000000007700bec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseSemaphore + 8 000000007700bed8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 8 000000007700bee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort + 8 000000007700bef8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda009c8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007700bf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetEvent + 8 000000007700bf18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee18} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee188} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 8 000000007700bf38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce818} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationFile + 8 000000007700bf48 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea6a8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 000000007700bf58 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea228} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey + 8 000000007700bf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFindAtom + 8 000000007700bf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultLocale + 8 000000007700bf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eaac8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryKey + 8 000000007700bf98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9ee8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey + 8 000000007700bfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 000000007700bfb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f1748} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 000000007700bfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects32 + 8 000000007700bfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather + 8 000000007700bfe8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f16f8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 000000007700bff8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9568} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 000000007700c008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory + 8 000000007700c018 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ded68} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort + 8 000000007700c028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseMutant + 8 000000007700c038 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb678} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 000000007700c048 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df348} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 000000007700c058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee2b8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory + 8 000000007700c068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007700c078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 000000007700c088 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbef8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007700c098 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cf2f8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007700c0a8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckAndAuditAlarm 000000007700c0c0 6 bytes [51, 48, B8, 60, 14, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckAndAuditAlarm + 8 000000007700c0c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007700c0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 8 000000007700c0e8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority 000000007700c100 6 bytes [51, 48, B8, A0, 14, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority + 8 000000007700c108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter + 8 000000007700c118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007700c128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007700c138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPerformanceCounter + 8 000000007700c148 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e98a8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey + 8 000000007700c158 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee48} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007700c168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDelayExecution + 8 000000007700c178 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9b28} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 000000007700c188 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01db8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 000000007700c198 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1c28} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 000000007700c1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimer + 8 000000007700c1b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc258} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile + 8 000000007700c1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 000000007700c1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCloseObjectAuditAlarm + 8 000000007700c1e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbe68} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 000000007700c1f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cb5e8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007700c208 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtClearEvent + 8 000000007700c218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 000000007700c228 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1178} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 000000007700c238 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb568} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 000000007700c248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateToken + 8 000000007700c258 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage 000000007700c270 6 bytes [51, 48, B8, 10, 16, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage + 8 000000007700c278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 000000007700c288 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom 000000007700c2a0 6 bytes [51, 48, B8, 40, 16, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom + 8 000000007700c2a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0f28} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 000000007700c2b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc5e8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVolumeInformationFile + 8 000000007700c2c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e18a8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 000000007700c2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile + 8 000000007700c2e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtApphelpCacheControl + 8 000000007700c2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 000000007700c308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 000000007700c318 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtIsProcessInJob + 8 000000007700c328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 000000007700c338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySection + 8 000000007700c348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 000000007700c358 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData 000000007700c370 6 bytes [51, 48, B8, 10, 17, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData + 8 000000007700c378 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cec78} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEvent + 8 000000007700c398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteRequestData + 8 000000007700c3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 000000007700c3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeAndAuditAlarm + 8 000000007700c3c8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects 000000007700c3e0 6 bytes [51, 48, B8, 80, 17, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects + 8 000000007700c3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 000000007700c3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFile + 8 000000007700c408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01878} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTraceEvent + 8 000000007700c418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPowerInformation + 8 000000007700c428 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7f68} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 000000007700c438 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCancelTimer + 8 000000007700c448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimer + 8 000000007700c458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAcceptConnectPort + 8 000000007700c468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheck + 8 000000007700c478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType + 8 000000007700c488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultList + 8 000000007700c498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarm + 8 000000007700c4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarmByHandle + 8 000000007700c4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 8 000000007700c4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAddDriverEntry + 8 000000007700c4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustGroupsToken + 8 000000007700c4e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlertResumeThread + 8 000000007700c4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlertThread + 8 000000007700c508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateLocallyUniqueId + 8 000000007700c518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateReserveObject + 8 000000007700c528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUserPhysicalPages + 8 000000007700c538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUuids + 8 000000007700c548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCancelMessage + 8 000000007700c568 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0458} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e02d8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePortSection + 8 000000007700c598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateResourceReserve + 8 000000007700c5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSectionView + 8 000000007700c5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSecurityContext + 8 000000007700c5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeletePortSection + 8 000000007700c5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteResourceReserve + 8 000000007700c5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSectionView + 8 000000007700c5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSecurityContext + 8 000000007700c608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDisconnectPort + 8 000000007700c618 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de788} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort + 8 000000007700c628 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderProcess + 8 000000007700c638 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderThread + 8 000000007700c648 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de438} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformation + 8 000000007700c658 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de458} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformationMessage + 8 000000007700c668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcRevokeSecurityContext + 8 000000007700c678 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9deee8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSetInformation + 8 000000007700c698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAreMappedFilesTheSame + 8 000000007700c6a8 9 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 2 000000007700c6b2 4 bytes {JMP 0xfffffffffda01990} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 8 000000007700c6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFileEx + 8 000000007700c6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCancelSynchronousIoFile + 8 000000007700c6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCommitComplete + 8 000000007700c6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCommitEnlistment + 8 000000007700c6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction + 8 000000007700c708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCompactKeys + 8 000000007700c718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCompareTokens + 8 000000007700c728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCompleteConnectPort + 8 000000007700c738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCompressKey + 8 000000007700c748 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9dfba8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDebugObject + 8 000000007700c768 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDirectoryObject + 8 000000007700c778 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEnlistment + 8 000000007700c788 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair + 8 000000007700c798 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 000000007700c7a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda015c8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobObject + 8 000000007700c7b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobSet + 8 000000007700c7c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyTransacted + 8 000000007700c7d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 000000007700c7e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8dd8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMailslotFile + 8 000000007700c7f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0d18} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 000000007700c808 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8f78} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 000000007700c818 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 000000007700c828 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df908} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 8 000000007700c838 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePrivateNamespace + 8 000000007700c848 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 000000007700c858 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 000000007700c868 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 000000007700c878 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateResourceManager + 8 000000007700c888 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0fa8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 000000007700c898 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 000000007700c8a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 000000007700c8b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 000000007700c8c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateToken + 8 000000007700c8d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction + 8 000000007700c8e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransactionManager + 8 000000007700c8f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 000000007700c908 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort + 8 000000007700c918 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWorkerFactory + 8 000000007700c928 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 000000007700c938 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugContinue + 8 000000007700c948 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteAtom + 8 000000007700c958 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry + 8 000000007700c968 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteDriverEntry + 8 000000007700c978 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce958} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 000000007700c988 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea0e8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey + 8 000000007700c998 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteObjectAuditAlarm + 8 000000007700c9a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeletePrivateNamespace + 8 000000007700c9b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9f38} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 000000007700c9c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDisableLastKnownGood + 8 000000007700c9d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDisplayString + 8 000000007700c9e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtDrawText + 8 000000007700c9f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtEnableLastKnownGood + 8 000000007700ca08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateBootEntries + 8 000000007700ca18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateDriverEntries + 8 000000007700ca28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateSystemEnvironmentValuesEx + 8 000000007700ca38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateTransactionObject + 8 000000007700ca48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtExtendSection + 8 000000007700ca58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFilterToken + 8 000000007700ca68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstallUILanguage + 8 000000007700ca78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstructionCache + 8 000000007700ca88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFlushKey + 8 000000007700ca98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFlushProcessWriteBuffers + 8 000000007700caa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFlushVirtualMemory + 8 000000007700cab8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFlushWriteBuffer + 8 000000007700cac8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFreeUserPhysicalPages + 8 000000007700cad8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeRegistry + 8 000000007700cae8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeTransactions + 8 000000007700caf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 8 000000007700cb08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetCurrentProcessorNumber + 8 000000007700cb18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetDevicePowerState + 8 000000007700cb28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetMUIRegistryInfo + 8 000000007700cb38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 000000007700cb48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 000000007700cb58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetNlsSectionPtr + 8 000000007700cb68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetNotificationResourceManager + 8 000000007700cb78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetPlugPlayEvent + 8 000000007700cb88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetWriteWatch + 8 000000007700cb98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de238} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateAnonymousToken + 8 000000007700cba8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de268} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateThread + 8 000000007700cbb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeNlsFiles + 8 000000007700cbc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeRegistry + 8 000000007700cbd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtInitiatePowerAction + 8 000000007700cbe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtIsSystemResumeAutomatic + 8 000000007700cbf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtIsUILanguageComitted + 8 000000007700cc08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtListenPort + 8 000000007700cc18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eb938} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 000000007700cc28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6d28} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey + 8 000000007700cc38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey2 + 8 000000007700cc48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKeyEx + 8 000000007700cc58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLockFile + 8 000000007700cc68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLockProductActivationKeys + 8 000000007700cc78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLockRegistryKey + 8 000000007700cc88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtLockVirtualMemory + 8 000000007700cc98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMakePermanentObject + 8 000000007700cca8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 8 000000007700ccb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMapCMFModule + 8 000000007700ccc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPages + 8 000000007700ccd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 8 000000007700cce8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyDriverEntry + 8 000000007700ccf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeDirectoryFile + 8 000000007700cd08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7838} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 8 000000007700cd18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 8 000000007700cd28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeSession + 8 000000007700cd38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEnlistment + 8 000000007700cd48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 8 000000007700cd58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 000000007700cd68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenJobObject + 8 000000007700cd78 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e87b8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 000000007700cd88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransacted + 8 000000007700cd98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransactedEx + 8 000000007700cda8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 000000007700cdb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0908} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 000000007700cdc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenObjectAuditAlarm + 8 000000007700cdd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenPrivateNamespace + 8 000000007700cde8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007700cdf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenResourceManager + 8 000000007700ce08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0bf8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 000000007700ce18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSession + 8 000000007700ce28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 000000007700ce38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa5e8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007700ce48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 000000007700ce58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransaction + 8 000000007700ce68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransactionManager + 8 000000007700ce78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPlugPlayControl + 8 000000007700ce88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareComplete + 8 000000007700ce98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareEnlistment + 8 000000007700cea8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareComplete + 8 000000007700ceb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareEnlistment + 8 000000007700cec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeCheck + 8 000000007700ced8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeObjectAuditAlarm + 8 000000007700cee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegedServiceAuditAlarm + 8 000000007700cef8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationComplete + 8 000000007700cf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationFailed + 8 000000007700cf18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtPulseEvent + 8 000000007700cf28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootEntryOrder + 8 000000007700cf38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootOptions + 8 000000007700cf48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDebugFilterState + 8 000000007700cf58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryObject + 8 000000007700cf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDriverEntryOrder + 8 000000007700cf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEaFile + 8 000000007700cf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ca8a8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007700cf98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationAtom + 8 000000007700cfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationEnlistment + 8 000000007700cfb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationJobObject + 8 000000007700cfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationPort + 8 000000007700cfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationResourceManager + 8 000000007700cfe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransaction + 8 000000007700cff8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransactionManager + 8 000000007700d008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationWorkerFactory + 8 000000007700d018 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInstallUILanguage + 8 000000007700d028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 000000007700d038 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIoCompletion + 8 000000007700d048 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue + 8 000000007700d058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9308} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 8 000000007700d068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMutant + 8 000000007700d078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeys + 8 000000007700d088 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeysEx + 8 000000007700d098 12 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 5 000000007700d0a5 1 byte [03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 8 000000007700d0a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryQuotaInformationFile + 8 000000007700d0b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityAttributesToken + 8 000000007700d0c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa3c8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject + 8 000000007700d0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySemaphore + 8 000000007700d0e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySymbolicLinkObject + 8 000000007700d0f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValue + 8 000000007700d108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx + 8 000000007700d118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformationEx + 8 000000007700d128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimerResolution + 8 000000007700d138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 000000007700d148 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007700d160 6 bytes [51, 48, B8, 00, 25, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 000000007700d168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReadOnlyEnlistment + 8 000000007700d178 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverEnlistment + 8 000000007700d188 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverResourceManager + 8 000000007700d198 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverTransactionManager + 8 000000007700d1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterProtocolAddressInformation + 8 000000007700d1b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterThreadTerminatePort + 8 000000007700d1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseKeyedEvent + 8 000000007700d1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseWorkerFactoryWorker + 8 000000007700d1e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletionEx + 8 000000007700d1f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveProcessDebug + 8 000000007700d208 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRenameKey + 8 000000007700d218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRenameTransactionManager + 8 000000007700d228 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReplaceKey + 8 000000007700d238 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReplacePartitionUnit + 8 000000007700d248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReplyPort + 8 000000007700d258 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRequestPort + 8 000000007700d268 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtResetEvent + 8 000000007700d278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtResetWriteWatch + 8 000000007700d288 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRestoreKey + 8 000000007700d298 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess + 8 000000007700d2a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackComplete + 8 000000007700d2b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackEnlistment + 8 000000007700d2c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction + 8 000000007700d2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtRollforwardTransactionManager + 8 000000007700d2e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6658} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKey + 8 000000007700d2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKeyEx + 8 000000007700d308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSaveMergedKeys + 8 000000007700d318 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df218} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSerializeBoot + 8 000000007700d338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 8 000000007700d348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 8 000000007700d358 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 000000007700d368 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetDebugFilterState + 8 000000007700d378 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultHardErrorPort + 8 000000007700d388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultLocale + 8 000000007700d398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultUILanguage + 8 000000007700d3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetDriverEntryOrder + 8 000000007700d3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetEaFile + 8 000000007700d3c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighEventPair + 8 000000007700d3d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighWaitLowEventPair + 8 000000007700d3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationDebugObject + 8 000000007700d3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationEnlistment + 8 000000007700d408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda00c78} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationJobObject + 8 000000007700d418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationKey + 8 000000007700d428 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationResourceManager + 8 000000007700d438 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa338} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationToken + 8 000000007700d448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction + 8 000000007700d458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransactionManager + 8 000000007700d468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationWorkerFactory + 8 000000007700d478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 000000007700d488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletion + 8 000000007700d498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletionEx + 8 000000007700d4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetLdtEntries + 8 000000007700d4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowEventPair + 8 000000007700d4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowWaitHighEventPair + 8 000000007700d4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetQuotaInformationFile + 8 000000007700d4e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa0c8} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject + 8 000000007700d4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValue + 8 000000007700d508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx + 8 000000007700d518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 000000007700d528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 8 000000007700d538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime + 8 000000007700d548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetThreadExecutionState + 8 000000007700d558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerEx + 8 000000007700d568 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerResolution + 8 000000007700d578 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetUuidSeed + 8 000000007700d588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetVolumeInformationFile + 8 000000007700d598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 8 000000007700d5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownWorkerFactory + 8 000000007700d5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSignalAndWaitForSingleObject + 8 000000007700d5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSinglePhaseReject + 8 000000007700d5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtStartProfile + 8 000000007700d5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtStopProfile + 8 000000007700d5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 000000007700d608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 000000007700d618 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 000000007700d628 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert 000000007700d640 6 bytes [51, 48, B8, E0, 29, 03] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert + 8 000000007700d648 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtThawRegistry + 8 000000007700d658 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtThawTransactions + 8 000000007700d668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTraceControl + 8 000000007700d678 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTranslateFilePath + 8 000000007700d688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUmsThreadYield + 8 000000007700d698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 000000007700d6a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey + 8 000000007700d6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey2 + 8 000000007700d6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKeyEx + 8 000000007700d6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockFile + 8 000000007700d6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockVirtualMemory + 8 000000007700d6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 000000007700d708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForDebugEvent + 8 000000007700d718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForKeyedEvent + 8 000000007700d728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForWorkViaWorkerFactory + 8 000000007700d738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitHighEventPair + 8 000000007700d748 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWaitLowEventPair + 8 000000007700d758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWorkerFactoryWorkerReady + 8 000000007700d768 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlGetFullPathName_UEx 0000000077010cd0 5 bytes JMP 00000001749d6c20 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\kernel32.dll!CreateActCtxW 0000000076eba180 5 bytes JMP 0000000174a0d000 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ebdae0 5 bytes JMP 00000001749fdc00 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\kernel32.dll!SetLocaleInfoA 0000000076f0f430 5 bytes JMP 00000001749ce280 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\kernel32.dll!AllocConsole 0000000076f25c60 5 bytes JMP 00000001749e19c0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f2f690 5 bytes JMP 00000001749ce260 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\kernel32.dll!ReplaceFile 0000000076f34390 5 bytes JMP 00000001749daee0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\kernel32.dll!WinExec 0000000076f3b4b0 5 bytes JMP 00000001749fcc60 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\KERNELBASE.dll!SetThreadToken 000007fefce284a0 6 bytes {JMP QWORD [RIP-0x482ae]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\KERNELBASE.dll!AccessCheckByType 000007fefce2caf0 6 bytes {JMP QWORD [RIP-0x4c906]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\KERNELBASE.dll!CreateFileMappingW 000007fefce30b40 6 bytes {JMP QWORD [RIP-0x5095e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\KERNELBASE.dll!GetFinalPathNameByHandleW 000007fefce39100 6 bytes {JMP QWORD [RIP-0x590fe]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\KERNELBASE.dll!GetTokenInformation 000007fefce3b150 6 bytes {JMP QWORD [RIP-0x5af56]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60250 6 bytes {JMP QWORD [RIP-0x80256]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesW 000007fefe301460 6 bytes {JMP QWORD [RIP-0x15213b6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CloseEventLog + 1 000007fefe309271 5 bytes {JMP QWORD [RIP-0x152923e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!QueryServiceStatusEx 000007fefe309474 6 bytes {JMP QWORD [RIP-0x152943a]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryW 000007fefe30ab20 6 bytes {JMP QWORD [RIP-0x152a9b6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExW 000007fefe30eb20 6 bytes {JMP QWORD [RIP-0x152eab6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!ReportEventW 000007fefe310050 6 bytes {JMP QWORD [RIP-0x1530026]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!LookupAccountNameW 000007fefe310b24 6 bytes {JMP QWORD [RIP-0x15309ca]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceW + 1 000007fefe316031 5 bytes {JMP QWORD [RIP-0x153601e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!DeregisterEventSource 000007fefe31a5a0 6 bytes {JMP QWORD [RIP-0x153a586]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe325548 6 bytes {JMP QWORD [RIP-0x1545476]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameW 000007fefe3256a0 6 bytes {JMP QWORD [RIP-0x1545616]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameW 000007fefe325770 6 bytes {JMP QWORD [RIP-0x15456d6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceA + 1 000007fefe327461 5 bytes {JMP QWORD [RIP-0x1547456]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!QueryServiceObjectSecurity 000007fefe33b2dc 6 bytes {JMP QWORD [RIP-0x155b22a]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2W 000007fefe33b310 6 bytes {JMP QWORD [RIP-0x155b2c6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2A 000007fefe33b330 6 bytes {JMP QWORD [RIP-0x155b2ee]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe33b77c 6 bytes {JMP QWORD [RIP-0x155b6b2]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CreateRestrictedToken 000007fefe33b7fc 6 bytes {JMP QWORD [RIP-0x155b68a]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe33b8f0 6 bytes {JMP QWORD [RIP-0x155b80e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe33b95c 6 bytes {JMP QWORD [RIP-0x155b882]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredRenameA 000007fefe342d50 6 bytes {JMP QWORD [RIP-0x1562c1e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!GetEffectiveRightsFromAclW 000007fefe345b00 6 bytes {JMP QWORD [RIP-0x1565986]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesA 000007fefe34d170 6 bytes {JMP QWORD [RIP-0x156d0ce]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExA 000007fefe34d2e0 6 bytes {JMP QWORD [RIP-0x156d27e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusA 000007fefe34d4e0 6 bytes {JMP QWORD [RIP-0x156d48e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusW 000007fefe34d8e0 6 bytes {JMP QWORD [RIP-0x156d886]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!UnlockServiceDatabase 000007fefe34d930 6 bytes {JMP QWORD [RIP-0x156d86e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusW 000007fefe34d9a0 6 bytes {JMP QWORD [RIP-0x156d926]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusA 000007fefe34dab0 6 bytes {JMP QWORD [RIP-0x156da3e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!LockServiceDatabase 000007fefe34dbc0 6 bytes {JMP QWORD [RIP-0x156db06]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameA 000007fefe34dc40 6 bytes {JMP QWORD [RIP-0x156dbbe]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameA 000007fefe34dcd0 6 bytes {JMP QWORD [RIP-0x156dc3e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredDeleteW 000007fefe360910 6 bytes {JMP QWORD [RIP-0x15807ce]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredDeleteA 000007fefe3609d0 6 bytes {JMP QWORD [RIP-0x1580896]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!ReportEventA 000007fefe361cc0 6 bytes {JMP QWORD [RIP-0x1581c9e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryA 000007fefe36c860 6 bytes {JMP QWORD [RIP-0x158c6fe]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsW 000007fefe36d820 6 bytes {JMP QWORD [RIP-0x158d6f6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsA 000007fefe36d950 6 bytes {JMP QWORD [RIP-0x158d82e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsW 000007fefe36da80 6 bytes {JMP QWORD [RIP-0x158d966]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsA 000007fefe36db60 6 bytes {JMP QWORD [RIP-0x158da4e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefe36dc60 6 bytes {JMP QWORD [RIP-0x158db0e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefe36dd90 6 bytes {JMP QWORD [RIP-0x158dc46]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredReadW 000007fefe36dec0 6 bytes {JMP QWORD [RIP-0x158ddb6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredReadA 000007fefe36dfd0 6 bytes {JMP QWORD [RIP-0x158dece]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredWriteW 000007fefe36e0e0 6 bytes {JMP QWORD [RIP-0x158dfe6]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CredWriteA 000007fefe36e190 6 bytes {JMP QWORD [RIP-0x158e09e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefe370c80 6 bytes {JMP QWORD [RIP-0x1590b96]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe2e642c 5 bytes JMP 000007fefe3255e8 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe2e6484 5 bytes JMP 000007fefe30e870 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe2e6518 5 bytes JMP 000007fefe31ae24 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerW 000007fefe2e659c 5 bytes JMP 000007fefe30e858 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatus 000007fefe2e6730 5 bytes JMP 000007fefe3161ac .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatusEx 000007fefe2e6784 5 bytes JMP 000007fefe309474 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefe2e6824 5 bytes JMP 000007fefe309460 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe2e687c 5 bytes JMP 000007fefe308e94 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerA 000007fefe2e6aa4 5 bytes JMP 000007fefe31a380 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe2e6c34 5 bytes JMP 000007fefe31a36c .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefe2e6d00 5 bytes JMP 000007fefe33b240 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!QueryServiceObjectSecurity 000007fefe2e6d58 5 bytes JMP 000007fefe33b2dc .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2e6e00 5 bytes JMP 000007fefe33b24c .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2e6f2c 5 bytes JMP 000007fefe33b95c .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2e7220 5 bytes JMP 000007fefe33b8f0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2e739c 5 bytes JMP 000007fefe33b9d4 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2e7538 5 bytes JMP 000007fefe33b9c8 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2e75e8 5 bytes JMP 000007fefe33b77c .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2e790c 5 bytes JMP 000007fefe325548 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2e7ab4 5 bytes JMP 000007fefe3255d4 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigA 000007fefe2e7b04 5 bytes JMP 000007fefe33b2fc .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigW 000007fefe2e7c34 5 bytes JMP 000007fefe30ecac .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2A 000007fefe2e7d78 5 bytes JMP 000007fefe33b330 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2W 000007fefe2e8244 5 bytes JMP 000007fefe33b310 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe2e99e4 5 bytes JMP 000007fefe33b234 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe2e9ac8 5 bytes JMP 000007fefe306e4c .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe2ea51c 5 bytes JMP 000007fefe302c1c .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe2ea530 5 bytes JMP 000007fefe33b2d0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe2ea5b0 4 bytes JMP 000007fefe308e60 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe2ea5c4 5 bytes JMP 000007fefe33b2c4 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe2ebb28 5 bytes JMP 000007fefe30da10 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe2ebb3c 5 bytes JMP 000007fefe327440 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\RPCRT4.dll!RpcBindingInqAuthClientExW 000007fefe6e4d80 6 bytes {JMP QWORD [RIP-0x1904bfe]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExW 000007fefe4c8724 6 bytes {JMP QWORD [RIP-0x16e855a]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\GDI32.dll!GdiAddFontResourceW 000007fefe4ca074 6 bytes {JMP QWORD [RIP-0x16e9ed2]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\GDI32.dll!GdiDllInitialize 000007fefe4cae78 6 bytes {JMP QWORD [RIP-0x16eacde]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\GDI32.dll!RemoveFontResourceExW 000007fefe4d4784 6 bytes {JMP QWORD [RIP-0x16f45da]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\GDI32.dll!GetFontResourceInfoW + 1 000007fefe4d4845 5 bytes {JMP QWORD [RIP-0x16f4692]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExA 000007fefe4e91f0 6 bytes {JMP QWORD [RIP-0x170902e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\GDI32.dll!CreateScalableFontResourceW + 1 000007fefe4e9f4d 5 bytes {JMP QWORD [RIP-0x1709d92]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\IMM32.DLL!ImmAssociateContext 000007fefd241750 6 bytes {JMP QWORD [RIP-0x46157e]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\IMM32.DLL!ImmAssociateContextEx 000007fefd248240 6 bytes {JMP QWORD [RIP-0x468066]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\SspiCli.dll!LsaRegisterLogonProcess + 1 000007fefcb29211 5 bytes {JMP QWORD [RIP+0x2b6ff2]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\WTSAPI32.dll!WTSEnumerateSessionsW 000007fefac31430 6 bytes JMP 0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\WTSAPI32.dll!WTSQueryUserToken 000007fefac318f0 6 bytes JMP 0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\WTSAPI32.dll!WTSRegisterSessionNotification 000007fefac31d00 6 bytes JMP 0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\WTSAPI32.dll!WTSUnRegisterSessionNotification + 1 000007fefac31e31 5 bytes JMP 0 .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\WTSAPI32.dll!WTSRegisterSessionNotificationEx 000007fefac35030 6 bytes {JMP QWORD [RIP+0x21ab242]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\WTSAPI32.dll!WTSUnRegisterSessionNotificationEx 000007fefac350b4 6 bytes {JMP QWORD [RIP+0x21ab1ce]} .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[3808] C:\Windows\system32\WTSAPI32.dll!WTSEnumerateProcessesW 000007fefac354b0 6 bytes {JMP QWORD [RIP+0x21aadb2]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe22f0 2 bytes JMP 00000001749f7f40 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 3 0000000076fe22f3 2 bytes [A1, FD] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe6290 5 bytes JMP 00000001749f7e50 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076fea430 5 bytes JMP 0000000100130830 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx 0000000076ff5140 5 bytes JMP 00000001749fcad0 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!RtlGetCurrentDirectory_U 0000000077005d20 5 bytes JMP 00000001749d6710 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!RtlSetCurrentDirectory_U 0000000077006050 5 bytes JMP 00000001749d6980 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!LdrQueryImageFileExecutionOptions 00000000770066e0 5 bytes JMP 00000001749f8000 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter 000000007700be60 6 bytes [51, 48, B8, 00, 12, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter + 8 000000007700be68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForSingleObject + 8 000000007700be78 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 000000007700be90 6 bytes JMP 00000001749cd390 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 000000007700be98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9c38} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 000000007700bea8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c1608} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 000000007700beb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletion + 8 000000007700bec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseSemaphore + 8 000000007700bed8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 8 000000007700bee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort + 8 000000007700bef8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda009c8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007700bf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetEvent + 8 000000007700bf18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee18} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee188} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 8 000000007700bf38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce818} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationFile + 8 000000007700bf48 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea6a8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 000000007700bf58 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea228} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey + 8 000000007700bf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFindAtom + 8 000000007700bf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultLocale + 8 000000007700bf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eaac8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryKey + 8 000000007700bf98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9ee8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey + 8 000000007700bfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 000000007700bfb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f1748} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 000000007700bfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects32 + 8 000000007700bfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather + 8 000000007700bfe8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f16f8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 000000007700bff8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9568} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 000000007700c008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory + 8 000000007700c018 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ded68} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort + 8 000000007700c028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseMutant + 8 000000007700c038 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb678} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 000000007700c048 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df348} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 000000007700c058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee2b8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory + 8 000000007700c068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007700c078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 000000007700c088 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbef8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007700c098 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cf2f8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007700c0a8 30 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckAndAuditAlarm + 8 000000007700c0c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007700c0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 8 000000007700c0e8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority 000000007700c100 6 bytes [51, 48, B8, A0, 14, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority + 8 000000007700c108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter + 8 000000007700c118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007700c128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007700c138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPerformanceCounter + 8 000000007700c148 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e98a8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey + 8 000000007700c158 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee48} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007700c168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDelayExecution + 8 000000007700c178 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9b28} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 000000007700c188 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01db8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 000000007700c198 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1c28} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 000000007700c1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimer + 8 000000007700c1b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc258} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile + 8 000000007700c1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 000000007700c1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCloseObjectAuditAlarm + 8 000000007700c1e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbe68} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 000000007700c1f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cb5e8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007700c208 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtClearEvent + 8 000000007700c218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 000000007700c228 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1178} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 000000007700c238 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb568} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 000000007700c248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateToken + 8 000000007700c258 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage 000000007700c270 6 bytes [51, 48, B8, 10, 16, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage + 8 000000007700c278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 000000007700c288 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom 000000007700c2a0 6 bytes [51, 48, B8, 40, 16, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom + 8 000000007700c2a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0f28} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 000000007700c2b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc5e8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVolumeInformationFile + 8 000000007700c2c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e18a8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 000000007700c2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile + 8 000000007700c2e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtApphelpCacheControl + 8 000000007700c2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 000000007700c308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 000000007700c318 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtIsProcessInJob + 8 000000007700c328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 000000007700c338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySection + 8 000000007700c348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 000000007700c358 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData 000000007700c370 6 bytes [51, 48, B8, 10, 17, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData + 8 000000007700c378 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cec78} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEvent + 8 000000007700c398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteRequestData + 8 000000007700c3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 000000007700c3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeAndAuditAlarm + 8 000000007700c3c8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects 000000007700c3e0 6 bytes [51, 48, B8, 80, 17, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects + 8 000000007700c3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 000000007700c3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFile + 8 000000007700c408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01878} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtTraceEvent + 8 000000007700c418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPowerInformation + 8 000000007700c428 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7f68} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 000000007700c438 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCancelTimer + 8 000000007700c448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimer + 8 000000007700c458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAcceptConnectPort + 8 000000007700c468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheck + 8 000000007700c478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType + 8 000000007700c488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultList + 8 000000007700c498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarm + 8 000000007700c4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarmByHandle + 8 000000007700c4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 8 000000007700c4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAddDriverEntry + 8 000000007700c4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustGroupsToken + 8 000000007700c4e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlertResumeThread + 8 000000007700c4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlertThread + 8 000000007700c508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateLocallyUniqueId + 8 000000007700c518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateReserveObject + 8 000000007700c528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUserPhysicalPages + 8 000000007700c538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUuids + 8 000000007700c548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCancelMessage + 8 000000007700c568 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0458} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e02d8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePortSection + 8 000000007700c598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateResourceReserve + 8 000000007700c5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSectionView + 8 000000007700c5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSecurityContext + 8 000000007700c5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeletePortSection + 8 000000007700c5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteResourceReserve + 8 000000007700c5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSectionView + 8 000000007700c5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSecurityContext + 8 000000007700c608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDisconnectPort + 8 000000007700c618 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de788} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort + 8 000000007700c628 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderProcess + 8 000000007700c638 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderThread + 8 000000007700c648 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de438} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformation + 8 000000007700c658 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de458} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformationMessage + 8 000000007700c668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcRevokeSecurityContext + 8 000000007700c678 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9deee8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSetInformation + 8 000000007700c698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAreMappedFilesTheSame + 8 000000007700c6a8 9 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 2 000000007700c6b2 4 bytes {JMP 0xfffffffffda01990} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 8 000000007700c6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFileEx + 8 000000007700c6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCancelSynchronousIoFile + 8 000000007700c6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCommitComplete + 8 000000007700c6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCommitEnlistment + 8 000000007700c6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction + 8 000000007700c708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCompactKeys + 8 000000007700c718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCompareTokens + 8 000000007700c728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCompleteConnectPort + 8 000000007700c738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCompressKey + 8 000000007700c748 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9dfba8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDebugObject + 8 000000007700c768 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDirectoryObject + 8 000000007700c778 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEnlistment + 8 000000007700c788 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair + 8 000000007700c798 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 000000007700c7a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda015c8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobObject + 8 000000007700c7b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobSet + 8 000000007700c7c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyTransacted + 8 000000007700c7d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 000000007700c7e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8dd8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMailslotFile + 8 000000007700c7f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0d18} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 000000007700c808 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8f78} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 000000007700c818 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 000000007700c828 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df908} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 8 000000007700c838 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePrivateNamespace + 8 000000007700c848 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 000000007700c858 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 000000007700c868 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 000000007700c878 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateResourceManager + 8 000000007700c888 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0fa8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 000000007700c898 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 000000007700c8a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 000000007700c8b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 000000007700c8c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateToken + 8 000000007700c8d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction + 8 000000007700c8e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransactionManager + 8 000000007700c8f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 000000007700c908 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort + 8 000000007700c918 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWorkerFactory + 8 000000007700c928 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 000000007700c938 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugContinue + 8 000000007700c948 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteAtom + 8 000000007700c958 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry + 8 000000007700c968 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteDriverEntry + 8 000000007700c978 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce958} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 000000007700c988 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea0e8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey + 8 000000007700c998 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteObjectAuditAlarm + 8 000000007700c9a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeletePrivateNamespace + 8 000000007700c9b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9f38} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 000000007700c9c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDisableLastKnownGood + 8 000000007700c9d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDisplayString + 8 000000007700c9e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtDrawText + 8 000000007700c9f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtEnableLastKnownGood + 8 000000007700ca08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateBootEntries + 8 000000007700ca18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateDriverEntries + 8 000000007700ca28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateSystemEnvironmentValuesEx + 8 000000007700ca38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateTransactionObject + 8 000000007700ca48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtExtendSection + 8 000000007700ca58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFilterToken + 8 000000007700ca68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstallUILanguage + 8 000000007700ca78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstructionCache + 8 000000007700ca88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFlushKey + 8 000000007700ca98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFlushProcessWriteBuffers + 8 000000007700caa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFlushVirtualMemory + 8 000000007700cab8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFlushWriteBuffer + 8 000000007700cac8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFreeUserPhysicalPages + 8 000000007700cad8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeRegistry + 8 000000007700cae8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeTransactions + 8 000000007700caf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 8 000000007700cb08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetCurrentProcessorNumber + 8 000000007700cb18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetDevicePowerState + 8 000000007700cb28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetMUIRegistryInfo + 8 000000007700cb38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 000000007700cb48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 000000007700cb58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetNlsSectionPtr + 8 000000007700cb68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetNotificationResourceManager + 8 000000007700cb78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetPlugPlayEvent + 8 000000007700cb88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtGetWriteWatch + 8 000000007700cb98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de238} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateAnonymousToken + 8 000000007700cba8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de268} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateThread + 8 000000007700cbb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeNlsFiles + 8 000000007700cbc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeRegistry + 8 000000007700cbd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtInitiatePowerAction + 8 000000007700cbe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtIsSystemResumeAutomatic + 8 000000007700cbf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtIsUILanguageComitted + 8 000000007700cc08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtListenPort + 8 000000007700cc18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eb938} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 000000007700cc28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6d28} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey + 8 000000007700cc38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey2 + 8 000000007700cc48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKeyEx + 8 000000007700cc58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLockFile + 8 000000007700cc68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLockProductActivationKeys + 8 000000007700cc78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLockRegistryKey + 8 000000007700cc88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtLockVirtualMemory + 8 000000007700cc98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtMakePermanentObject + 8 000000007700cca8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 8 000000007700ccb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtMapCMFModule + 8 000000007700ccc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPages + 8 000000007700ccd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 8 000000007700cce8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyDriverEntry + 8 000000007700ccf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeDirectoryFile + 8 000000007700cd08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7838} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 8 000000007700cd18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 8 000000007700cd28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeSession + 8 000000007700cd38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEnlistment + 8 000000007700cd48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 8 000000007700cd58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 000000007700cd68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenJobObject + 8 000000007700cd78 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e87b8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 000000007700cd88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransacted + 8 000000007700cd98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransactedEx + 8 000000007700cda8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 000000007700cdb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0908} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 000000007700cdc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenObjectAuditAlarm + 8 000000007700cdd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenPrivateNamespace + 8 000000007700cde8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007700cdf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenResourceManager + 8 000000007700ce08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0bf8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 000000007700ce18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSession + 8 000000007700ce28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 000000007700ce38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa5e8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007700ce48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 000000007700ce58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransaction + 8 000000007700ce68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransactionManager + 8 000000007700ce78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPlugPlayControl + 8 000000007700ce88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareComplete + 8 000000007700ce98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareEnlistment + 8 000000007700cea8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareComplete + 8 000000007700ceb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareEnlistment + 8 000000007700cec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeCheck + 8 000000007700ced8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeObjectAuditAlarm + 8 000000007700cee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegedServiceAuditAlarm + 8 000000007700cef8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationComplete + 8 000000007700cf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationFailed + 8 000000007700cf18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtPulseEvent + 8 000000007700cf28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootEntryOrder + 8 000000007700cf38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootOptions + 8 000000007700cf48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDebugFilterState + 8 000000007700cf58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryObject + 8 000000007700cf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDriverEntryOrder + 8 000000007700cf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEaFile + 8 000000007700cf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ca8a8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007700cf98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationAtom + 8 000000007700cfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationEnlistment + 8 000000007700cfb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationJobObject + 8 000000007700cfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationPort + 8 000000007700cfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationResourceManager + 8 000000007700cfe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransaction + 8 000000007700cff8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransactionManager + 8 000000007700d008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationWorkerFactory + 8 000000007700d018 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInstallUILanguage + 8 000000007700d028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 000000007700d038 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIoCompletion + 8 000000007700d048 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue + 8 000000007700d058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9308} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 8 000000007700d068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMutant + 8 000000007700d078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeys + 8 000000007700d088 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeysEx + 8 000000007700d098 12 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 5 000000007700d0a5 1 byte [13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 8 000000007700d0a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryQuotaInformationFile + 8 000000007700d0b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityAttributesToken + 8 000000007700d0c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa3c8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject + 8 000000007700d0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySemaphore + 8 000000007700d0e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySymbolicLinkObject + 8 000000007700d0f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValue + 8 000000007700d108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx + 8 000000007700d118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformationEx + 8 000000007700d128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimerResolution + 8 000000007700d138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 000000007700d148 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007700d160 6 bytes [51, 48, B8, 00, 25, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 000000007700d168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReadOnlyEnlistment + 8 000000007700d178 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverEnlistment + 8 000000007700d188 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverResourceManager + 8 000000007700d198 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverTransactionManager + 8 000000007700d1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterProtocolAddressInformation + 8 000000007700d1b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterThreadTerminatePort + 8 000000007700d1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseKeyedEvent + 8 000000007700d1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseWorkerFactoryWorker + 8 000000007700d1e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletionEx + 8 000000007700d1f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveProcessDebug + 8 000000007700d208 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRenameKey + 8 000000007700d218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRenameTransactionManager + 8 000000007700d228 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReplaceKey + 8 000000007700d238 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReplacePartitionUnit + 8 000000007700d248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReplyPort + 8 000000007700d258 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRequestPort + 8 000000007700d268 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtResetEvent + 8 000000007700d278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtResetWriteWatch + 8 000000007700d288 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRestoreKey + 8 000000007700d298 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess + 8 000000007700d2a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackComplete + 8 000000007700d2b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackEnlistment + 8 000000007700d2c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction + 8 000000007700d2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtRollforwardTransactionManager + 8 000000007700d2e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6658} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKey + 8 000000007700d2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKeyEx + 8 000000007700d308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSaveMergedKeys + 8 000000007700d318 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df218} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSerializeBoot + 8 000000007700d338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 8 000000007700d348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 8 000000007700d358 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 000000007700d368 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetDebugFilterState + 8 000000007700d378 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultHardErrorPort + 8 000000007700d388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultLocale + 8 000000007700d398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultUILanguage + 8 000000007700d3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetDriverEntryOrder + 8 000000007700d3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetEaFile + 8 000000007700d3c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighEventPair + 8 000000007700d3d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighWaitLowEventPair + 8 000000007700d3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationDebugObject + 8 000000007700d3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationEnlistment + 8 000000007700d408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda00c78} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationJobObject + 8 000000007700d418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationKey + 8 000000007700d428 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationResourceManager + 8 000000007700d438 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa338} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationToken + 8 000000007700d448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction + 8 000000007700d458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransactionManager + 8 000000007700d468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationWorkerFactory + 8 000000007700d478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 000000007700d488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletion + 8 000000007700d498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletionEx + 8 000000007700d4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetLdtEntries + 8 000000007700d4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowEventPair + 8 000000007700d4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowWaitHighEventPair + 8 000000007700d4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetQuotaInformationFile + 8 000000007700d4e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa0c8} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject + 8 000000007700d4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValue + 8 000000007700d508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx + 8 000000007700d518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 000000007700d528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 8 000000007700d538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime + 8 000000007700d548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetThreadExecutionState + 8 000000007700d558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerEx + 8 000000007700d568 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerResolution + 8 000000007700d578 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetUuidSeed + 8 000000007700d588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSetVolumeInformationFile + 8 000000007700d598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 8 000000007700d5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownWorkerFactory + 8 000000007700d5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSignalAndWaitForSingleObject + 8 000000007700d5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSinglePhaseReject + 8 000000007700d5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtStartProfile + 8 000000007700d5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtStopProfile + 8 000000007700d5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 000000007700d608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 000000007700d618 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 000000007700d628 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert 000000007700d640 6 bytes [51, 48, B8, E0, 29, 13] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert + 8 000000007700d648 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtThawRegistry + 8 000000007700d658 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtThawTransactions + 8 000000007700d668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtTraceControl + 8 000000007700d678 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtTranslateFilePath + 8 000000007700d688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUmsThreadYield + 8 000000007700d698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 000000007700d6a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey + 8 000000007700d6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey2 + 8 000000007700d6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKeyEx + 8 000000007700d6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockFile + 8 000000007700d6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockVirtualMemory + 8 000000007700d6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 000000007700d708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForDebugEvent + 8 000000007700d718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForKeyedEvent + 8 000000007700d728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForWorkViaWorkerFactory + 8 000000007700d738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitHighEventPair + 8 000000007700d748 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWaitLowEventPair + 8 000000007700d758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!NtWorkerFactoryWorkerReady + 8 000000007700d768 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\ntdll.dll!RtlGetFullPathName_UEx 0000000077010cd0 5 bytes JMP 00000001749d6c20 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\kernel32.dll!CreateActCtxW 0000000076eba180 5 bytes JMP 0000000174a0d000 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ebdae0 5 bytes JMP 00000001749fdc00 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\kernel32.dll!SetLocaleInfoA 0000000076f0f430 5 bytes JMP 00000001749ce280 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\kernel32.dll!AllocConsole 0000000076f25c60 5 bytes JMP 00000001749e19c0 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f2f690 5 bytes JMP 00000001749ce260 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\kernel32.dll!ReplaceFile 0000000076f34390 5 bytes JMP 00000001749daee0 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\kernel32.dll!WinExec 0000000076f3b4b0 5 bytes JMP 00000001749fcc60 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\KERNELBASE.dll!GetFinalPathNameByHandleW 000007fefce39100 6 bytes {JMP QWORD [RIP-0x590fe]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60250 6 bytes {JMP QWORD [RIP-0x80256]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesW 000007fefe301460 6 bytes {JMP QWORD [RIP-0x15213b6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CloseEventLog + 1 000007fefe309271 5 bytes {JMP QWORD [RIP-0x152923e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!QueryServiceStatusEx 000007fefe309474 6 bytes {JMP QWORD [RIP-0x152943a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryW 000007fefe30ab20 6 bytes {JMP QWORD [RIP-0x152a9b6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExW 000007fefe30eb20 6 bytes {JMP QWORD [RIP-0x152eab6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!ReportEventW 000007fefe310050 6 bytes {JMP QWORD [RIP-0x1530026]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!LookupAccountNameW 000007fefe310b24 6 bytes {JMP QWORD [RIP-0x15309ca]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceW + 1 000007fefe316031 5 bytes {JMP QWORD [RIP-0x153601e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!DeregisterEventSource 000007fefe31a5a0 6 bytes {JMP QWORD [RIP-0x153a586]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe325548 6 bytes {JMP QWORD [RIP-0x1545476]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameW 000007fefe3256a0 6 bytes {JMP QWORD [RIP-0x1545616]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameW 000007fefe325770 6 bytes {JMP QWORD [RIP-0x15456d6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceA + 1 000007fefe327461 5 bytes {JMP QWORD [RIP-0x1547456]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!QueryServiceObjectSecurity 000007fefe33b2dc 6 bytes {JMP QWORD [RIP-0x155b22a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2W 000007fefe33b310 6 bytes {JMP QWORD [RIP-0x155b2c6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2A 000007fefe33b330 6 bytes {JMP QWORD [RIP-0x155b2ee]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe33b77c 6 bytes {JMP QWORD [RIP-0x155b6b2]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CreateRestrictedToken 000007fefe33b7fc 6 bytes {JMP QWORD [RIP-0x155b68a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe33b8f0 6 bytes {JMP QWORD [RIP-0x155b80e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe33b95c 6 bytes {JMP QWORD [RIP-0x155b882]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredRenameA 000007fefe342d50 6 bytes {JMP QWORD [RIP-0x1562c1e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!GetEffectiveRightsFromAclW 000007fefe345b00 6 bytes {JMP QWORD [RIP-0x1565986]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesA 000007fefe34d170 6 bytes {JMP QWORD [RIP-0x156d0ce]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExA 000007fefe34d2e0 6 bytes {JMP QWORD [RIP-0x156d27e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusA 000007fefe34d4e0 6 bytes {JMP QWORD [RIP-0x156d48e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusW 000007fefe34d8e0 6 bytes {JMP QWORD [RIP-0x156d886]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!UnlockServiceDatabase 000007fefe34d930 6 bytes {JMP QWORD [RIP-0x156d86e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusW 000007fefe34d9a0 6 bytes {JMP QWORD [RIP-0x156d926]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusA 000007fefe34dab0 6 bytes {JMP QWORD [RIP-0x156da3e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!LockServiceDatabase 000007fefe34dbc0 6 bytes {JMP QWORD [RIP-0x156db06]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameA 000007fefe34dc40 6 bytes {JMP QWORD [RIP-0x156dbbe]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameA 000007fefe34dcd0 6 bytes {JMP QWORD [RIP-0x156dc3e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredDeleteW 000007fefe360910 6 bytes {JMP QWORD [RIP-0x15807ce]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredDeleteA 000007fefe3609d0 6 bytes {JMP QWORD [RIP-0x1580896]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!ReportEventA 000007fefe361cc0 6 bytes {JMP QWORD [RIP-0x1581c9e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryA 000007fefe36c860 6 bytes {JMP QWORD [RIP-0x158c6fe]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsW 000007fefe36d820 6 bytes {JMP QWORD [RIP-0x158d6f6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsA 000007fefe36d950 6 bytes {JMP QWORD [RIP-0x158d82e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsW 000007fefe36da80 6 bytes {JMP QWORD [RIP-0x158d966]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsA 000007fefe36db60 6 bytes {JMP QWORD [RIP-0x158da4e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefe36dc60 6 bytes {JMP QWORD [RIP-0x158db0e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefe36dd90 6 bytes {JMP QWORD [RIP-0x158dc46]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredReadW 000007fefe36dec0 6 bytes {JMP QWORD [RIP-0x158ddb6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredReadA 000007fefe36dfd0 6 bytes {JMP QWORD [RIP-0x158dece]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredWriteW 000007fefe36e0e0 6 bytes {JMP QWORD [RIP-0x158dfe6]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CredWriteA 000007fefe36e190 6 bytes {JMP QWORD [RIP-0x158e09e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefe370c80 6 bytes {JMP QWORD [RIP-0x1590b96]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe2e642c 5 bytes JMP 000007fefe3255e8 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe2e6484 5 bytes JMP 000007fefe30e870 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe2e6518 5 bytes JMP 000007fefe31ae24 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerW 000007fefe2e659c 5 bytes JMP 000007fefe30e858 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatus 000007fefe2e6730 5 bytes JMP 000007fefe3161ac .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatusEx 000007fefe2e6784 5 bytes JMP 000007fefe309474 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefe2e6824 5 bytes JMP 000007fefe309460 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe2e687c 5 bytes JMP 000007fefe308e94 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerA 000007fefe2e6aa4 5 bytes JMP 000007fefe31a380 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe2e6c34 5 bytes JMP 000007fefe31a36c .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefe2e6d00 5 bytes JMP 000007fefe33b240 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!QueryServiceObjectSecurity 000007fefe2e6d58 5 bytes JMP 000007fefe33b2dc .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2e6e00 5 bytes JMP 000007fefe33b24c .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2e6f2c 5 bytes JMP 000007fefe33b95c .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2e7220 5 bytes JMP 000007fefe33b8f0 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2e739c 5 bytes JMP 000007fefe33b9d4 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2e7538 5 bytes JMP 000007fefe33b9c8 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2e75e8 5 bytes JMP 000007fefe33b77c .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2e790c 5 bytes JMP 000007fefe325548 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2e7ab4 5 bytes JMP 000007fefe3255d4 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigA 000007fefe2e7b04 5 bytes JMP 000007fefe33b2fc .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigW 000007fefe2e7c34 5 bytes JMP 000007fefe30ecac .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2A 000007fefe2e7d78 5 bytes JMP 000007fefe33b330 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2W 000007fefe2e8244 5 bytes JMP 000007fefe33b310 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe2e99e4 5 bytes JMP 000007fefe33b234 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe2e9ac8 5 bytes JMP 000007fefe306e4c .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe2ea51c 5 bytes JMP 000007fefe302c1c .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe2ea530 5 bytes JMP 000007fefe33b2d0 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe2ea5b0 4 bytes JMP 000007fefe308e60 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe2ea5c4 5 bytes JMP 000007fefe33b2c4 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe2ebb28 5 bytes JMP 000007fefe30da10 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe2ebb3c 5 bytes JMP 000007fefe327440 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExW 000007fefe4c8724 6 bytes {JMP QWORD [RIP-0x16e855a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\GDI32.dll!GdiAddFontResourceW 000007fefe4ca074 6 bytes {JMP QWORD [RIP-0x16e9ed2]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\GDI32.dll!GdiDllInitialize 000007fefe4cae78 6 bytes {JMP QWORD [RIP-0x16eacde]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\GDI32.dll!RemoveFontResourceExW 000007fefe4d4784 6 bytes {JMP QWORD [RIP-0x16f45da]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\GDI32.dll!GetFontResourceInfoW + 1 000007fefe4d4845 5 bytes {JMP QWORD [RIP-0x16f4692]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExA 000007fefe4e91f0 6 bytes {JMP QWORD [RIP-0x170902e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\GDI32.dll!CreateScalableFontResourceW + 1 000007fefe4e9f4d 5 bytes {JMP QWORD [RIP-0x1709d92]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WTSAPI32.dll!WTSEnumerateSessionsW 000007fefac31430 6 bytes {JMP QWORD [RIP+0x21aedaa]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WTSAPI32.dll!WTSQueryUserToken 000007fefac318f0 6 bytes {JMP QWORD [RIP+0x21ae8e2]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WTSAPI32.dll!WTSRegisterSessionNotification 000007fefac31d00 6 bytes {JMP QWORD [RIP+0x21ae4ea]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WTSAPI32.dll!WTSUnRegisterSessionNotification + 1 000007fefac31e31 5 bytes {JMP QWORD [RIP+0x21ae3ca]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WTSAPI32.dll!WTSRegisterSessionNotificationEx 000007fefac35030 6 bytes {JMP QWORD [RIP+0x21ab1c2]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WTSAPI32.dll!WTSUnRegisterSessionNotificationEx 000007fefac350b4 6 bytes {JMP QWORD [RIP+0x21ab14e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WTSAPI32.dll!WTSEnumerateProcessesW 000007fefac354b0 6 bytes {JMP QWORD [RIP+0x21aad32]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IMM32.DLL!ImmAssociateContext 000007fefd241750 6 bytes {JMP QWORD [RIP-0x461546]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IMM32.DLL!ImmAssociateContextEx 000007fefd248240 6 bytes {JMP QWORD [RIP-0x46802e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!ReleaseStgMedium 000007feff069110 6 bytes {JMP QWORD [RIP-0x2288e96]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06dcb0 6 bytes {JMP QWORD [RIP-0x228da66]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 6 bytes {JMP QWORD [RIP-0x22a6fce]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!CoUnmarshalInterface + 1 000007feff08e689 5 bytes {JMP QWORD [RIP-0x22ae436]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!CoMarshalInterface 000007feff08eedc 6 bytes {JMP QWORD [RIP-0x22aec82]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff092b28 6 bytes {JMP QWORD [RIP-0x22b28ee]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!RevokeDragDrop 000007feff1c0ca0 6 bytes {JMP QWORD [RIP-0x23e0a2e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!RegisterDragDrop 000007feff1c0da0 6 bytes {JMP QWORD [RIP-0x23e0b36]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\ole32.dll!CoGetObject + 1 000007feff1c3ca1 5 bytes {JMP QWORD [RIP-0x23e3a3e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\SSPICLI.DLL!LsaRegisterLogonProcess + 1 000007fefcb29211 5 bytes {JMP QWORD [RIP+0x2b707a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\CRYPT32.dll!CertGetCertificateChain 000007fefcf50ba0 6 bytes {JMP QWORD [RIP-0x1708fe]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\CRYPT32.dll!CryptUnprotectData + 1 000007fefcf691b9 5 bytes {JMP QWORD [RIP-0x188f1e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\CRYPT32.dll!CryptProtectData 000007fefcf696d4 6 bytes {JMP QWORD [RIP-0x189442]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd3445c1 5 bytes {JMP QWORD [RIP-0x56430e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WS2_32.dll!WSANSPIoctl 000007fefd3644c0 6 bytes {JMP QWORD [RIP-0x584216]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd36e0f0 6 bytes {JMP QWORD [RIP-0x58de36]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\System32\wevtapi.dll!EvtIntAssertConfig 000007fefc7a00a0 6 bytes JMP 0 .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!CancelMibChangeNotify2 000007fefac06ff4 6 bytes {JMP QWORD [RIP+0x21d9316]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!IcmpCloseHandle 000007fefac07cc0 6 bytes {JMP QWORD [RIP+0x21d861a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho2Ex 000007fefac07f5c 6 bytes {JMP QWORD [RIP+0x21d839e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!IcmpCreateFile 000007fefac08250 6 bytes {JMP QWORD [RIP+0x21d807a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho 000007fefac08340 6 bytes {JMP QWORD [RIP+0x21d7fa2]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho2 000007fefac0839c 6 bytes {JMP QWORD [RIP+0x21d7f4e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!NotifyRouteChange2 000007fefac094b0 6 bytes {JMP QWORD [RIP+0x21d6e52]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!Icmp6SendEcho2 000007fefac09ce0 6 bytes {JMP QWORD [RIP+0x21d6612]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\IPHLPAPI.DLL!Icmp6CreateFile 000007fefac0a030 6 bytes {JMP QWORD [RIP+0x21d62a2]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\SETUPAPI.dll!VerifyCatalogFile + 1 000007fefe8a6799 5 bytes {JMP QWORD [RIP-0x1ac647e]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\CFGMGR32.dll!CM_Add_Driver_PackageW 000007fefcd875f8 6 bytes {JMP QWORD [RIP+0x58d2a]} .text C:\Program Files\Slimjet\slimjet.exe[3012] C:\Windows\system32\CFGMGR32.dll!CM_Add_Driver_Package_ExW 000007fefcd87650 6 bytes {JMP QWORD [RIP+0x58cda]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe22f0 2 bytes JMP 00000001749f7f40 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 3 0000000076fe22f3 2 bytes [A1, FD] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe6290 5 bytes JMP 00000001749f7e50 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076fea430 5 bytes JMP 0000000100130830 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx 0000000076ff5140 5 bytes JMP 00000001749fcad0 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!RtlGetCurrentDirectory_U 0000000077005d20 5 bytes JMP 00000001749d6710 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!RtlSetCurrentDirectory_U 0000000077006050 5 bytes JMP 00000001749d6980 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!LdrQueryImageFileExecutionOptions 00000000770066e0 5 bytes JMP 00000001749f8000 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter 000000007700be60 6 bytes [51, 48, B8, 00, 12, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPagesScatter + 8 000000007700be68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForSingleObject + 8 000000007700be78 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 000000007700be90 6 bytes JMP 00000001749cd390 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 000000007700be98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9c38} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 000000007700bea8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c1608} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 000000007700beb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletion + 8 000000007700bec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseSemaphore + 8 000000007700bed8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 8 000000007700bee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort + 8 000000007700bef8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda009c8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007700bf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetEvent + 8 000000007700bf18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee18} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee188} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 8 000000007700bf38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce818} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationFile + 8 000000007700bf48 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea6a8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 000000007700bf58 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea228} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey + 8 000000007700bf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFindAtom + 8 000000007700bf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultLocale + 8 000000007700bf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eaac8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryKey + 8 000000007700bf98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9ee8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey + 8 000000007700bfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 000000007700bfb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f1748} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 000000007700bfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects32 + 8 000000007700bfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather + 8 000000007700bfe8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9f16f8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 000000007700bff8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9568} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 000000007700c008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory + 8 000000007700c018 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ded68} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort + 8 000000007700c028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseMutant + 8 000000007700c038 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb678} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 000000007700c048 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df348} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 000000007700c058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ee2b8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory + 8 000000007700c068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007700c078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 000000007700c088 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbef8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007700c098 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cf2f8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007700c0a8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckAndAuditAlarm 000000007700c0c0 6 bytes [51, 48, B8, 60, 14, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckAndAuditAlarm + 8 000000007700c0c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007700c0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 8 000000007700c0e8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority 000000007700c100 6 bytes [51, 48, B8, A0, 14, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetEventBoostPriority + 8 000000007700c108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter + 8 000000007700c118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007700c128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007700c138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPerformanceCounter + 8 000000007700c148 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e98a8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey + 8 000000007700c158 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cee48} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007700c168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDelayExecution + 8 000000007700c178 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c9b28} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 000000007700c188 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01db8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 000000007700c198 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1c28} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 000000007700c1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimer + 8 000000007700c1b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc258} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile + 8 000000007700c1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 000000007700c1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCloseObjectAuditAlarm + 8 000000007700c1e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fbe68} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 000000007700c1f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cb5e8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007700c208 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtClearEvent + 8 000000007700c218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 000000007700c228 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e1178} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 000000007700c238 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fb568} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 000000007700c248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateToken + 8 000000007700c258 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage 000000007700c270 6 bytes [51, 48, B8, 10, 16, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDefaultUILanguage + 8 000000007700c278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 000000007700c288 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom 000000007700c2a0 6 bytes [51, 48, B8, 40, 16, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAddAtom + 8 000000007700c2a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0f28} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 000000007700c2b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cc5e8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVolumeInformationFile + 8 000000007700c2c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e18a8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 000000007700c2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile + 8 000000007700c2e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtApphelpCacheControl + 8 000000007700c2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 000000007700c308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 000000007700c318 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtIsProcessInJob + 8 000000007700c328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 000000007700c338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySection + 8 000000007700c348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 000000007700c358 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData 000000007700c370 6 bytes [51, 48, B8, 10, 17, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReadRequestData + 8 000000007700c378 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9cec78} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEvent + 8 000000007700c398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteRequestData + 8 000000007700c3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 000000007700c3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeAndAuditAlarm + 8 000000007700c3c8 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects 000000007700c3e0 6 bytes [51, 48, B8, 80, 17, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForMultipleObjects + 8 000000007700c3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 000000007700c3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFile + 8 000000007700c408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda01878} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTraceEvent + 8 000000007700c418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPowerInformation + 8 000000007700c428 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7f68} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 000000007700c438 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCancelTimer + 8 000000007700c448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimer + 8 000000007700c458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAcceptConnectPort + 8 000000007700c468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheck + 8 000000007700c478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType + 8 000000007700c488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultList + 8 000000007700c498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarm + 8 000000007700c4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarmByHandle + 8 000000007700c4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 8 000000007700c4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAddDriverEntry + 8 000000007700c4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustGroupsToken + 8 000000007700c4e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlertResumeThread + 8 000000007700c4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlertThread + 8 000000007700c508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateLocallyUniqueId + 8 000000007700c518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateReserveObject + 8 000000007700c528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUserPhysicalPages + 8 000000007700c538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateUuids + 8 000000007700c548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCancelMessage + 8 000000007700c568 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0458} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e02d8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePortSection + 8 000000007700c598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateResourceReserve + 8 000000007700c5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSectionView + 8 000000007700c5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreateSecurityContext + 8 000000007700c5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeletePortSection + 8 000000007700c5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteResourceReserve + 8 000000007700c5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSectionView + 8 000000007700c5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDeleteSecurityContext + 8 000000007700c608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcDisconnectPort + 8 000000007700c618 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de788} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort + 8 000000007700c628 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderProcess + 8 000000007700c638 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcOpenSenderThread + 8 000000007700c648 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de438} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformation + 8 000000007700c658 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de458} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcQueryInformationMessage + 8 000000007700c668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcRevokeSecurityContext + 8 000000007700c678 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9deee8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSetInformation + 8 000000007700c698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAreMappedFilesTheSame + 8 000000007700c6a8 9 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 2 000000007700c6b2 4 bytes {JMP 0xfffffffffda01990} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 8 000000007700c6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCancelIoFileEx + 8 000000007700c6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCancelSynchronousIoFile + 8 000000007700c6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCommitComplete + 8 000000007700c6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCommitEnlistment + 8 000000007700c6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction + 8 000000007700c708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCompactKeys + 8 000000007700c718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCompareTokens + 8 000000007700c728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCompleteConnectPort + 8 000000007700c738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCompressKey + 8 000000007700c748 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9dfba8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDebugObject + 8 000000007700c768 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateDirectoryObject + 8 000000007700c778 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEnlistment + 8 000000007700c788 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair + 8 000000007700c798 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 000000007700c7a8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda015c8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobObject + 8 000000007700c7b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateJobSet + 8 000000007700c7c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyTransacted + 8 000000007700c7d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 000000007700c7e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8dd8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMailslotFile + 8 000000007700c7f8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0d18} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 000000007700c808 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9c8f78} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 000000007700c818 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 000000007700c828 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df908} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 8 000000007700c838 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePrivateNamespace + 8 000000007700c848 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 000000007700c858 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 000000007700c868 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 000000007700c878 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateResourceManager + 8 000000007700c888 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0fa8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 000000007700c898 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 000000007700c8a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 000000007700c8b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 000000007700c8c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateToken + 8 000000007700c8d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction + 8 000000007700c8e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransactionManager + 8 000000007700c8f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 000000007700c908 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort + 8 000000007700c918 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWorkerFactory + 8 000000007700c928 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 000000007700c938 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugContinue + 8 000000007700c948 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteAtom + 8 000000007700c958 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry + 8 000000007700c968 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteDriverEntry + 8 000000007700c978 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ce958} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 000000007700c988 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ea0e8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey + 8 000000007700c998 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteObjectAuditAlarm + 8 000000007700c9a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeletePrivateNamespace + 8 000000007700c9b8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9f38} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 000000007700c9c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDisableLastKnownGood + 8 000000007700c9d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDisplayString + 8 000000007700c9e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDrawText + 8 000000007700c9f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtEnableLastKnownGood + 8 000000007700ca08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateBootEntries + 8 000000007700ca18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateDriverEntries + 8 000000007700ca28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateSystemEnvironmentValuesEx + 8 000000007700ca38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateTransactionObject + 8 000000007700ca48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtExtendSection + 8 000000007700ca58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFilterToken + 8 000000007700ca68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstallUILanguage + 8 000000007700ca78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFlushInstructionCache + 8 000000007700ca88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFlushKey + 8 000000007700ca98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFlushProcessWriteBuffers + 8 000000007700caa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFlushVirtualMemory + 8 000000007700cab8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFlushWriteBuffer + 8 000000007700cac8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFreeUserPhysicalPages + 8 000000007700cad8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeRegistry + 8 000000007700cae8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtFreezeTransactions + 8 000000007700caf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 8 000000007700cb08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetCurrentProcessorNumber + 8 000000007700cb18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetDevicePowerState + 8 000000007700cb28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetMUIRegistryInfo + 8 000000007700cb38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 000000007700cb48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 000000007700cb58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetNlsSectionPtr + 8 000000007700cb68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetNotificationResourceManager + 8 000000007700cb78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetPlugPlayEvent + 8 000000007700cb88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtGetWriteWatch + 8 000000007700cb98 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de238} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateAnonymousToken + 8 000000007700cba8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9de268} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateThread + 8 000000007700cbb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeNlsFiles + 8 000000007700cbc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtInitializeRegistry + 8 000000007700cbd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtInitiatePowerAction + 8 000000007700cbe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtIsSystemResumeAutomatic + 8 000000007700cbf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtIsUILanguageComitted + 8 000000007700cc08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtListenPort + 8 000000007700cc18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9eb938} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 000000007700cc28 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6d28} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey + 8 000000007700cc38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKey2 + 8 000000007700cc48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadKeyEx + 8 000000007700cc58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLockFile + 8 000000007700cc68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLockProductActivationKeys + 8 000000007700cc78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLockRegistryKey + 8 000000007700cc88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLockVirtualMemory + 8 000000007700cc98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtMakePermanentObject + 8 000000007700cca8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 8 000000007700ccb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtMapCMFModule + 8 000000007700ccc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtMapUserPhysicalPages + 8 000000007700ccd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 8 000000007700cce8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyDriverEntry + 8 000000007700ccf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeDirectoryFile + 8 000000007700cd08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e7838} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 8 000000007700cd18 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 8 000000007700cd28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeSession + 8 000000007700cd38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEnlistment + 8 000000007700cd48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 8 000000007700cd58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 000000007700cd68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenJobObject + 8 000000007700cd78 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e87b8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 000000007700cd88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransacted + 8 000000007700cd98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransactedEx + 8 000000007700cda8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 000000007700cdb8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0908} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 000000007700cdc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenObjectAuditAlarm + 8 000000007700cdd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenPrivateNamespace + 8 000000007700cde8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007700cdf8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenResourceManager + 8 000000007700ce08 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e0bf8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 000000007700ce18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSession + 8 000000007700ce28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 000000007700ce38 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa5e8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007700ce48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 000000007700ce58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransaction + 8 000000007700ce68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTransactionManager + 8 000000007700ce78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPlugPlayControl + 8 000000007700ce88 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareComplete + 8 000000007700ce98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPrePrepareEnlistment + 8 000000007700cea8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareComplete + 8 000000007700ceb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPrepareEnlistment + 8 000000007700cec8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeCheck + 8 000000007700ced8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegeObjectAuditAlarm + 8 000000007700cee8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPrivilegedServiceAuditAlarm + 8 000000007700cef8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationComplete + 8 000000007700cf08 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPropagationFailed + 8 000000007700cf18 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtPulseEvent + 8 000000007700cf28 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootEntryOrder + 8 000000007700cf38 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryBootOptions + 8 000000007700cf48 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDebugFilterState + 8 000000007700cf58 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryObject + 8 000000007700cf68 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDriverEntryOrder + 8 000000007700cf78 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryEaFile + 8 000000007700cf88 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9ca8a8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007700cf98 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationAtom + 8 000000007700cfa8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationEnlistment + 8 000000007700cfb8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationJobObject + 8 000000007700cfc8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationPort + 8 000000007700cfd8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationResourceManager + 8 000000007700cfe8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransaction + 8 000000007700cff8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationTransactionManager + 8 000000007700d008 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationWorkerFactory + 8 000000007700d018 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInstallUILanguage + 8 000000007700d028 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 000000007700d038 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIoCompletion + 8 000000007700d048 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue + 8 000000007700d058 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e9308} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 8 000000007700d068 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMutant + 8 000000007700d078 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeys + 8 000000007700d088 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryOpenSubKeysEx + 8 000000007700d098 12 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 5 000000007700d0a5 1 byte [13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryPortInformationProcess + 8 000000007700d0a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryQuotaInformationFile + 8 000000007700d0b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityAttributesToken + 8 000000007700d0c8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa3c8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject + 8 000000007700d0d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySemaphore + 8 000000007700d0e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySymbolicLinkObject + 8 000000007700d0f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValue + 8 000000007700d108 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx + 8 000000007700d118 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformationEx + 8 000000007700d128 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryTimerResolution + 8 000000007700d138 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 000000007700d148 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007700d160 6 bytes [51, 48, B8, 00, 25, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 000000007700d168 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReadOnlyEnlistment + 8 000000007700d178 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverEnlistment + 8 000000007700d188 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverResourceManager + 8 000000007700d198 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRecoverTransactionManager + 8 000000007700d1a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterProtocolAddressInformation + 8 000000007700d1b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRegisterThreadTerminatePort + 8 000000007700d1c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseKeyedEvent + 8 000000007700d1d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReleaseWorkerFactoryWorker + 8 000000007700d1e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveIoCompletionEx + 8 000000007700d1f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRemoveProcessDebug + 8 000000007700d208 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e66f8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRenameKey + 8 000000007700d218 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRenameTransactionManager + 8 000000007700d228 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplaceKey + 8 000000007700d238 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplacePartitionUnit + 8 000000007700d248 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReplyPort + 8 000000007700d258 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRequestPort + 8 000000007700d268 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtResetEvent + 8 000000007700d278 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtResetWriteWatch + 8 000000007700d288 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRestoreKey + 8 000000007700d298 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess + 8 000000007700d2a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackComplete + 8 000000007700d2b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackEnlistment + 8 000000007700d2c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction + 8 000000007700d2d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtRollforwardTransactionManager + 8 000000007700d2e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9e6658} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKey + 8 000000007700d2f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSaveKeyEx + 8 000000007700d308 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSaveMergedKeys + 8 000000007700d318 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9df218} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSerializeBoot + 8 000000007700d338 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 8 000000007700d348 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 8 000000007700d358 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 000000007700d368 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetDebugFilterState + 8 000000007700d378 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultHardErrorPort + 8 000000007700d388 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultLocale + 8 000000007700d398 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetDefaultUILanguage + 8 000000007700d3a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetDriverEntryOrder + 8 000000007700d3b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetEaFile + 8 000000007700d3c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighEventPair + 8 000000007700d3d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetHighWaitLowEventPair + 8 000000007700d3e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationDebugObject + 8 000000007700d3f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationEnlistment + 8 000000007700d408 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffda00c78} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationJobObject + 8 000000007700d418 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationKey + 8 000000007700d428 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationResourceManager + 8 000000007700d438 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa338} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationToken + 8 000000007700d448 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction + 8 000000007700d458 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransactionManager + 8 000000007700d468 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationWorkerFactory + 8 000000007700d478 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 000000007700d488 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletion + 8 000000007700d498 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetIoCompletionEx + 8 000000007700d4a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetLdtEntries + 8 000000007700d4b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowEventPair + 8 000000007700d4c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetLowWaitHighEventPair + 8 000000007700d4d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetQuotaInformationFile + 8 000000007700d4e8 14 bytes {ADD [RAX], AL; ADD [RAX-0x77], CL; ADD AL, 0x24; RET ; JMP 0xfffffffffd9fa0c8} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject + 8 000000007700d4f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValue + 8 000000007700d508 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx + 8 000000007700d518 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 000000007700d528 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 8 000000007700d538 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime + 8 000000007700d548 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetThreadExecutionState + 8 000000007700d558 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerEx + 8 000000007700d568 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetTimerResolution + 8 000000007700d578 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetUuidSeed + 8 000000007700d588 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetVolumeInformationFile + 8 000000007700d598 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 8 000000007700d5a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownWorkerFactory + 8 000000007700d5b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSignalAndWaitForSingleObject + 8 000000007700d5c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSinglePhaseReject + 8 000000007700d5d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtStartProfile + 8 000000007700d5e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtStopProfile + 8 000000007700d5f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 000000007700d608 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 000000007700d618 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 000000007700d628 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert 000000007700d640 6 bytes [51, 48, B8, E0, 29, 13] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert + 8 000000007700d648 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtThawRegistry + 8 000000007700d658 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtThawTransactions + 8 000000007700d668 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTraceControl + 8 000000007700d678 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTranslateFilePath + 8 000000007700d688 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUmsThreadYield + 8 000000007700d698 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 000000007700d6a8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey + 8 000000007700d6b8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey2 + 8 000000007700d6c8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKeyEx + 8 000000007700d6d8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockFile + 8 000000007700d6e8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtUnlockVirtualMemory + 8 000000007700d6f8 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 000000007700d708 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForDebugEvent + 8 000000007700d718 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForKeyedEvent + 8 000000007700d728 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitForWorkViaWorkerFactory + 8 000000007700d738 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitHighEventPair + 8 000000007700d748 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWaitLowEventPair + 8 000000007700d758 14 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWorkerFactoryWorkerReady + 8 000000007700d768 8 bytes [00, 00, 00, 48, 89, 04, 24, ...] .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!RtlGetFullPathName_UEx 0000000077010cd0 5 bytes JMP 00000001749d6c20 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\KERNELBASE.dll!GetFinalPathNameByHandleW 000007fefce39100 6 bytes {JMP QWORD [RIP-0x590fe]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefce60250 6 bytes {JMP QWORD [RIP-0x80256]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesW 000007fefe301460 6 bytes {JMP QWORD [RIP-0x15213b6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CloseEventLog + 1 000007fefe309271 5 bytes {JMP QWORD [RIP-0x152923e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!QueryServiceStatusEx 000007fefe309474 6 bytes {JMP QWORD [RIP-0x152943a]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!AccessCheckByType 000007fefe30a2e0 6 bytes {JMP QWORD [RIP-0x152a0fe]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryW 000007fefe30ab20 6 bytes {JMP QWORD [RIP-0x152a9b6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExW 000007fefe30eb20 6 bytes {JMP QWORD [RIP-0x152eab6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!ReportEventW 000007fefe310050 6 bytes {JMP QWORD [RIP-0x1530026]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!LookupAccountNameW 000007fefe310b24 6 bytes {JMP QWORD [RIP-0x15309ca]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceW + 1 000007fefe316031 5 bytes {JMP QWORD [RIP-0x153601e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!DeregisterEventSource 000007fefe31a5a0 6 bytes {JMP QWORD [RIP-0x153a586]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!GetTokenInformation 000007fefe31e0b0 6 bytes {JMP QWORD [RIP-0x153dec6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe325548 6 bytes {JMP QWORD [RIP-0x1545476]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameW 000007fefe3256a0 6 bytes {JMP QWORD [RIP-0x1545616]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameW 000007fefe325770 6 bytes {JMP QWORD [RIP-0x15456d6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!RegisterEventSourceA + 1 000007fefe327461 5 bytes {JMP QWORD [RIP-0x1547456]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!QueryServiceObjectSecurity 000007fefe33b2dc 6 bytes {JMP QWORD [RIP-0x155b22a]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2W 000007fefe33b310 6 bytes {JMP QWORD [RIP-0x155b2c6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!QueryServiceConfig2A 000007fefe33b330 6 bytes {JMP QWORD [RIP-0x155b2ee]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe33b77c 6 bytes {JMP QWORD [RIP-0x155b6b2]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CreateRestrictedToken 000007fefe33b7fc 6 bytes {JMP QWORD [RIP-0x155b68a]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe33b8f0 6 bytes {JMP QWORD [RIP-0x155b80e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe33b95c 6 bytes {JMP QWORD [RIP-0x155b882]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredRenameA 000007fefe342d50 6 bytes {JMP QWORD [RIP-0x1562c1e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!GetEffectiveRightsFromAclW 000007fefe345b00 6 bytes {JMP QWORD [RIP-0x1565986]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesA 000007fefe34d170 6 bytes {JMP QWORD [RIP-0x156d0ce]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExA 000007fefe34d2e0 6 bytes {JMP QWORD [RIP-0x156d27e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusA 000007fefe34d4e0 6 bytes {JMP QWORD [RIP-0x156d48e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusW 000007fefe34d8e0 6 bytes {JMP QWORD [RIP-0x156d886]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!UnlockServiceDatabase 000007fefe34d930 6 bytes {JMP QWORD [RIP-0x156d86e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusW 000007fefe34d9a0 6 bytes {JMP QWORD [RIP-0x156d926]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!QueryServiceLockStatusA 000007fefe34dab0 6 bytes {JMP QWORD [RIP-0x156da3e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!LockServiceDatabase 000007fefe34dbc0 6 bytes {JMP QWORD [RIP-0x156db06]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameA 000007fefe34dc40 6 bytes {JMP QWORD [RIP-0x156dbbe]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameA 000007fefe34dcd0 6 bytes {JMP QWORD [RIP-0x156dc3e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredDeleteW 000007fefe360910 6 bytes {JMP QWORD [RIP-0x15807ce]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredDeleteA 000007fefe3609d0 6 bytes {JMP QWORD [RIP-0x1580896]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!ReportEventA 000007fefe361cc0 6 bytes {JMP QWORD [RIP-0x1581c9e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!RegConnectRegistryA 000007fefe36c860 6 bytes {JMP QWORD [RIP-0x158c6fe]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsW 000007fefe36d820 6 bytes {JMP QWORD [RIP-0x158d6f6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredReadDomainCredentialsA 000007fefe36d950 6 bytes {JMP QWORD [RIP-0x158d82e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsW 000007fefe36da80 6 bytes {JMP QWORD [RIP-0x158d966]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredWriteDomainCredentialsA 000007fefe36db60 6 bytes {JMP QWORD [RIP-0x158da4e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefe36dc60 6 bytes {JMP QWORD [RIP-0x158db0e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefe36dd90 6 bytes {JMP QWORD [RIP-0x158dc46]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredReadW 000007fefe36dec0 6 bytes {JMP QWORD [RIP-0x158ddb6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredReadA 000007fefe36dfd0 6 bytes {JMP QWORD [RIP-0x158dece]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredWriteW 000007fefe36e0e0 6 bytes {JMP QWORD [RIP-0x158dfe6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CredWriteA 000007fefe36e190 6 bytes {JMP QWORD [RIP-0x158e09e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefe370c80 6 bytes {JMP QWORD [RIP-0x1590b96]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe2e642c 5 bytes JMP 000007fefe3255e8 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe2e6484 5 bytes JMP 000007fefe30e870 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe2e6518 5 bytes JMP 000007fefe31ae24 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerW 000007fefe2e659c 5 bytes JMP 000007fefe30e858 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatus 000007fefe2e6730 5 bytes JMP 000007fefe3161ac .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatusEx 000007fefe2e6784 5 bytes JMP 000007fefe309474 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefe2e6824 5 bytes JMP 000007fefe309460 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe2e687c 5 bytes JMP 000007fefe308e94 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerA 000007fefe2e6aa4 5 bytes JMP 000007fefe31a380 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe2e6c34 5 bytes JMP 000007fefe31a36c .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefe2e6d00 5 bytes JMP 000007fefe33b240 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!QueryServiceObjectSecurity 000007fefe2e6d58 5 bytes JMP 000007fefe33b2dc .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2e6e00 5 bytes JMP 000007fefe33b24c .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2e6f2c 5 bytes JMP 000007fefe33b95c .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2e7220 5 bytes JMP 000007fefe33b8f0 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2e739c 5 bytes JMP 000007fefe33b9d4 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2e7538 5 bytes JMP 000007fefe33b9c8 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2e75e8 5 bytes JMP 000007fefe33b77c .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2e790c 5 bytes JMP 000007fefe325548 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2e7ab4 5 bytes JMP 000007fefe3255d4 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigA 000007fefe2e7b04 5 bytes JMP 000007fefe33b2fc .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigW 000007fefe2e7c34 5 bytes JMP 000007fefe30ecac .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2A 000007fefe2e7d78 5 bytes JMP 000007fefe33b330 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2W 000007fefe2e8244 5 bytes JMP 000007fefe33b310 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe2e99e4 5 bytes JMP 000007fefe33b234 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe2e9ac8 5 bytes JMP 000007fefe306e4c .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe2ea51c 5 bytes JMP 000007fefe302c1c .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe2ea530 5 bytes JMP 000007fefe33b2d0 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe2ea5b0 4 bytes JMP 000007fefe308e60 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe2ea5c4 5 bytes JMP 000007fefe33b2c4 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe2ebb28 5 bytes JMP 000007fefe30da10 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe2ebb3c 5 bytes JMP 000007fefe327440 .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExW 000007fefe4c8724 6 bytes {JMP QWORD [RIP-0x16e855a]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\GDI32.dll!GdiAddFontResourceW 000007fefe4ca074 6 bytes {JMP QWORD [RIP-0x16e9ed2]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\GDI32.dll!GdiDllInitialize 000007fefe4cae78 6 bytes {JMP QWORD [RIP-0x16eacde]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\GDI32.dll!RemoveFontResourceExW 000007fefe4d4784 6 bytes {JMP QWORD [RIP-0x16f45da]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\GDI32.dll!GetFontResourceInfoW + 1 000007fefe4d4845 5 bytes {JMP QWORD [RIP-0x16f4692]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\GDI32.dll!EnumFontFamiliesExA 000007fefe4e91f0 6 bytes {JMP QWORD [RIP-0x170902e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\GDI32.dll!CreateScalableFontResourceW + 1 000007fefe4e9f4d 5 bytes {JMP QWORD [RIP-0x1709d92]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\IMM32.DLL!ImmAssociateContext 000007fefd241750 6 bytes {JMP QWORD [RIP-0x46157e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\IMM32.DLL!ImmAssociateContextEx 000007fefd248240 6 bytes {JMP QWORD [RIP-0x468066]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\CRYPT32.dll!CertGetCertificateChain 000007fefcf50ba0 6 bytes {JMP QWORD [RIP-0x17099e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\CRYPT32.dll!CryptUnprotectData + 1 000007fefcf691b9 5 bytes {JMP QWORD [RIP-0x188fbe]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\CRYPT32.dll!CryptProtectData 000007fefcf696d4 6 bytes {JMP QWORD [RIP-0x1894e2]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!ReleaseStgMedium 000007feff069110 6 bytes {JMP QWORD [RIP-0x2288ec6]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06dcb0 6 bytes {JMP QWORD [RIP-0x228da96]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 6 bytes {JMP QWORD [RIP-0x22a6ffe]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!CoUnmarshalInterface + 1 000007feff08e689 5 bytes {JMP QWORD [RIP-0x22ae466]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!CoMarshalInterface 000007feff08eedc 6 bytes {JMP QWORD [RIP-0x22aecb2]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff092b28 6 bytes {JMP QWORD [RIP-0x22b291e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!RevokeDragDrop 000007feff1c0ca0 6 bytes {JMP QWORD [RIP-0x23e0a5e]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!RegisterDragDrop 000007feff1c0da0 6 bytes {JMP QWORD [RIP-0x23e0b66]} .text C:\Program Files\Sandboxie\SandboxieCrypto.exe[3184] C:\Windows\system32\ole32.dll!CoGetObject + 1 000007feff1c3ca1 5 bytes {JMP QWORD [RIP-0x23e3a6e]} .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 05, 00, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 05, 00, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 05] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 05] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 05] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 05] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 05] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 05] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 05, 00] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\system32\kernel32.dll!VirtualProtectEx + 1 0000000076eebf81 13 bytes [B8, 84, 14, 05, 00, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007feff06dcb1 14 bytes [B8, 84, 92, 05, 00, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 8 bytes [48, B8, F4, 91, 05, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007feff08721a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007feff092b29 14 bytes [B8, F4, 92, 05, 00, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3644] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefd3a1c80 14 bytes [48, B8, 30, A8, 05, 00, 00, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 16, 00, 00, 00, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 16, 00, 00, 00, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 16] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 16] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 16] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 16] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 16] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 16] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 16, 00] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text D:\Pobrane\Notepad2-4.1.24-x86-64\Notepad2.exe[2888] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefd3a1c80 14 bytes [48, B8, 30, A8, 16, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076fe22f1 12 bytes [B8, 48, 74, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076fe6291 11 bytes [B8, 58, 73, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007700bf20 5 bytes [48, B8, A4, 2A, 06] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 000000007700bf28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007700c380 5 bytes [48, B8, 9C, 24, 06] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007700c388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 000000007700c550 5 bytes [48, B8, 54, 29, 06] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 000000007700c558 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007700c570 5 bytes [48, B8, AC, 22, 06] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 000000007700c578 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 000000007700c588 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007700c680 5 bytes [48, B8, 3C, 2B, 06] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 000000007700c688 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007700c750 5 bytes [48, B8, 0C, 24, 06] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 000000007700c758 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007700d320 6 bytes [48, B8, 68, 23, 06, 00] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 000000007700d328 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\kernel32.dll!VirtualProtectEx + 1 0000000076eebf81 13 bytes [B8, 84, 14, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefd3a1c80 14 bytes [48, B8, 30, A8, 06, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007feff06dcb1 14 bytes [B8, 84, 92, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff087210 8 bytes [48, B8, F4, 91, 06, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007feff08721a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007feff092b29 14 bytes [B8, F4, 92, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\SAMCLI.DLL!NetUserSetInfo + 1 000007fefa4868bd 1 byte [B8] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\SAMCLI.DLL!NetUserSetInfo + 3 000007fefa4868bf 12 bytes [26, 06, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[3636] C:\Windows\system32\SAMCLI.DLL!NetUserChangePassword 000007fefa487e18 15 bytes [48, B8, 7C, 27, 06, 00, 00, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtClose + 1 00000000771bf9e1 3 bytes [0B, 1D, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtClose + 5 00000000771bf9e5 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000771c00b5 3 bytes [08, 1A, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771c00b9 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 1 00000000771c0389 3 bytes [68, 1C, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 5 00000000771c038d 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000771c03b9 3 bytes [96, 19, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000771c03bd 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 1 00000000771c03d1 3 bytes [E0, 1B, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 5 00000000771c03d5 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 1 00000000771c0551 3 bytes [34, 1D, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 00000000771c0555 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 00000000771c0695 3 bytes [E2, 19, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 00000000771c0699 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000771c18c1 3 bytes [BC, 19, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000771c18c5 2 bytes [50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000771ddffe 7 bytes [B8, B3, 75, 19, 00, 50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771df7fd 10 bytes [B8, 05, 83, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074f24322 7 bytes JMP 00000001001911e5 .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000074fa4d6a 7 bytes JMP 0000000100191229 .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075f678e2 8 bytes [B8, 8D, 1D, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075f67bd3 8 bytes [B8, 45, 1D, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f68332 7 bytes [B8, DD, 18, 19, 00, 50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!RegisterClassW + 237 0000000075f68b52 8 bytes [B8, 96, 5B, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075f705ba 11 bytes [B8, 20, 1E, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f7291f 11 bytes [B8, 94, 76, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075f75f74 11 bytes [B8, D5, 1D, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f76110 7 bytes [B8, B7, 18, 19, 00, 50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075f76285 12 bytes [B8, E2, 77, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!ScrollWindowEx + 84 0000000075f8d5bf 8 bytes [B8, 44, 73, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f8eb96 7 bytes [B8, E7, 75, 19, 00, 50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075f8ec69 3 bytes [41, 77, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075f8ec6d 5 bytes [50, C3, 90, 90, 90] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075fb816c 11 bytes [B8, 7A, 56, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075fc8370 3 bytes [DD, 55, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075fc8374 5 bytes [50, C3, 90, 90, 90] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!EndTask + 1 0000000075fca7ef 3 bytes [4F, 19, 19] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\USER32.dll!EndTask + 5 0000000075fca7f3 5 bytes [50, C3, 90, 90, 90] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\MSCTF.dll!TF_Notify 0000000076073a1d 7 bytes [B8, 71, 73, 19, 00, 50, C3] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000750c548d 10 bytes [B8, D7, 69, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000750d9cff 8 bytes [B8, 53, 86, 19, 00, 50, C3, ...] .text D:\Pobrane\FRST-GMER\ockq3kzv.exe[3164] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000750d9d42 9 bytes [B8, B1, 69, 19, 00, 50, C3, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IofCompleteRequest] [fffff88003a981bc] \??\C:\Program Files (x86)\SpyShelter Firewall\SpyShelter.sys [.text] ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----