GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-18 05:56:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-2 Corsair_Force_3_SSD rev.5.03 111,79GB Running: lf9evwp7.exe; Driver: C:\Users\KO\AppData\Local\Temp\pxldqpoc.sys ---- Kernel code sections - GMER 2.1 ---- PAGE C:\Windows\system32\drivers\PCIIDEX.SYS!DllUnload fffff880012eca50 12 bytes {MOV RAX, 0xfffffa8006ba32a0; JMP RAX} PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff880013834a0 12 bytes {MOV RAX, 0xfffffa80069ce2a0; JMP RAX} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff880071c8d8c 12 bytes {MOV RAX, 0xfffffa80076212a0; JMP RAX} .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000144d00 7 bytes [C0, 83, F3, FF, C1, 94, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000144d08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, F0, 12, B1, 01] .text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[876] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076dcb851 11 bytes [B8, F0, 12, D4, 01, 00, 00, ...] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000fc0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000002ca2b50 5 bytes JMP 00000000756693d1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000002ce1130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000002ce1910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 0000000002d5e650 5 bytes JMP 0000000075667c11 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000002d5e7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175667b79 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175667291 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1028] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667ae1 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 79, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1156] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1220] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, CB, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, C9, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1220] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, C7, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1264] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\winhttp.dll!WinHttpCloseHandle 000007fefb0622e0 12 bytes [48, B8, F9, A2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\winhttp.dll!WinHttpOpenRequest 000007fefb0645f8 12 bytes [48, B8, 39, A1, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\winhttp.dll!WinHttpConnect 000007fefb073e3c 12 bytes [48, B8, B9, A4, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, CB, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, C9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, C7, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefdf6dd61 11 bytes [B8, 79, 8A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, CB, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, C9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, C7, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb0622e0 12 bytes [48, B8, F9, A2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb0645f8 12 bytes [48, B8, 39, A1, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1332] C:\Windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb073e3c 12 bytes [48, B8, B9, A4, 59, 75, 00, ...] .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1472] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000006a0179 5 bytes JMP 0000000075664d29 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1616] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, CB, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, C9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, C7, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb0622e0 12 bytes [48, B8, F9, A2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb0645f8 12 bytes [48, B8, 39, A1, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1616] c:\windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb073e3c 12 bytes [48, B8, B9, A4, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, F9, 19, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1700] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, CB, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, C9, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, C7, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, F9, 19, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetCloseHandle + 1 000007fefd6b3fa1 11 bytes [B8, 39, 0A, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!HttpOpenRequestW + 1 000007fefd6b5441 11 bytes [B8, F9, F6, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetConnectW + 1 000007fefd6bb581 11 bytes [B8, 79, F3, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!HttpSendRequestW + 1 000007fefd6bc5a1 11 bytes [B8, 79, FA, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetReadFile + 1 000007fefd6bd941 11 bytes [B8, 79, E5, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!HttpSendRequestExW + 1 000007fefd6f8a01 11 bytes [B8, F9, FD, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetWriteFile + 1 000007fefd6f8eb1 11 bytes [B8, B9, E3, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetOpenW + 1 000007fefd718b91 11 bytes [B8, F9, E8, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefd718d30 12 bytes [48, B8, 39, E7, 59, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!HttpSendRequestA + 1 000007fefd75de71 11 bytes [B8, B9, F8, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetConnectA + 1 000007fefd7be951 11 bytes [B8, B9, F1, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetOpenUrlA + 1 000007fefd7bed41 11 bytes [B8, B9, EA, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!InternetOpenUrlW + 1 000007fefd7bf9f1 11 bytes [B8, 79, EC, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!FtpGetFileA 000007fefd7d0210 12 bytes [48, B8, 39, 03, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!FtpOpenFileA + 1 000007fefd7d06c1 11 bytes [B8, 39, EE, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!FtpPutFileA 000007fefd7d07a0 12 bytes [48, B8, B9, 06, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!FtpGetFileW + 1 000007fefd7d4111 11 bytes [B8, F9, 04, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!FtpOpenFileW + 1 000007fefd7d4221 11 bytes [B8, F9, EF, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!FtpPutFileW + 1 000007fefd7d4421 11 bytes [B8, 79, 08, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!HttpSendRequestExA + 1 000007fefd7e8681 11 bytes [B8, 39, FC, 59, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\WININET.dll!HttpOpenRequestA + 1 000007fefd7eb0f1 11 bytes [B8, 39, F5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1900] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 42, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetCloseHandle + 1 000007fefd6b3fa1 11 bytes [B8, 39, 0A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!HttpOpenRequestW + 1 000007fefd6b5441 11 bytes [B8, F9, F6, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetConnectW + 1 000007fefd6bb581 11 bytes [B8, 79, F3, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!HttpSendRequestW + 1 000007fefd6bc5a1 11 bytes [B8, 79, FA, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetReadFile + 1 000007fefd6bd941 11 bytes [B8, 79, E5, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!HttpSendRequestExW + 1 000007fefd6f8a01 11 bytes [B8, F9, FD, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetWriteFile + 1 000007fefd6f8eb1 11 bytes [B8, B9, E3, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetOpenW + 1 000007fefd718b91 11 bytes [B8, F9, E8, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetOpenA 000007fefd718d30 12 bytes [48, B8, 39, E7, 59, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!HttpSendRequestA + 1 000007fefd75de71 11 bytes [B8, B9, F8, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetConnectA + 1 000007fefd7be951 11 bytes [B8, B9, F1, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetOpenUrlA + 1 000007fefd7bed41 11 bytes [B8, B9, EA, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!InternetOpenUrlW + 1 000007fefd7bf9f1 11 bytes [B8, 79, EC, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!FtpGetFileA 000007fefd7d0210 12 bytes [48, B8, 39, 03, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!FtpOpenFileA + 1 000007fefd7d06c1 11 bytes [B8, 39, EE, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!FtpPutFileA 000007fefd7d07a0 12 bytes [48, B8, B9, 06, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!FtpGetFileW + 1 000007fefd7d4111 11 bytes [B8, F9, 04, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!FtpOpenFileW + 1 000007fefd7d4221 11 bytes [B8, F9, EF, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!FtpPutFileW + 1 000007fefd7d4421 11 bytes [B8, 79, 08, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!HttpSendRequestExA + 1 000007fefd7e8681 11 bytes [B8, 39, FC, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\wininet.dll!HttpOpenRequestA + 1 000007fefd7eb0f1 11 bytes [B8, 39, F5, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000960179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175669339 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1564] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, C5, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, F9, 55, 59, 75, 00, 00] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, F9, 5C, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 39, 5B, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, F9, 71, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, A2, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, B9, 73, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, B9, 5E, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, 79, 60, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, 39, CB, 59, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, 39, 69, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, C9, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, 39, 70, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, B9, 6C, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, B9, 65, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, A4, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 79, 75, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, 79, B4, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, B9, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, A9, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, BE, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, B7, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, BB, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, BD, 59, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, F9, D3, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, 79, 59, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, AF, 59, 75, 00, 00] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, B9, 57, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, F9, 4E, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 79, 4B, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, 39, 46, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 79, 44, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, 39, 4D, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, F9, 47, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, B9, 49, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, B2, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefd9780b0 12 bytes [48, B8, 79, 98, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefd979641 11 bytes [B8, F9, 94, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA 000007fefda01370 12 bytes [48, B8, B9, 96, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefda014f0 12 bytes [48, B8, 39, 93, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetCloseHandle + 1 000007fefd6b3fa1 11 bytes [B8, 39, A1, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!HttpOpenRequestW + 1 000007fefd6b5441 11 bytes [B8, 79, 8A, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetConnectW + 1 000007fefd6bb581 11 bytes [B8, F9, 86, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!HttpSendRequestW + 1 000007fefd6bc5a1 11 bytes [B8, F9, 8D, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetReadFile + 1 000007fefd6bd941 11 bytes [B8, F9, 78, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!HttpSendRequestExW + 1 000007fefd6f8a01 11 bytes [B8, 79, 91, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetWriteFile + 1 000007fefd6f8eb1 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetOpenW + 1 000007fefd718b91 11 bytes [B8, 79, 7C, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefd718d30 12 bytes [48, B8, B9, 7A, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!HttpSendRequestA + 1 000007fefd75de71 11 bytes [B8, 39, 8C, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetConnectA + 1 000007fefd7be951 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetOpenUrlA + 1 000007fefd7bed41 11 bytes [B8, 39, 7E, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!InternetOpenUrlW + 1 000007fefd7bf9f1 11 bytes [B8, F9, 7F, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!FtpGetFileA 000007fefd7d0210 12 bytes [48, B8, 39, 9A, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!FtpOpenFileA + 1 000007fefd7d06c1 11 bytes [B8, B9, 81, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!FtpPutFileA 000007fefd7d07a0 12 bytes [48, B8, B9, 9D, 59, 75, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!FtpGetFileW + 1 000007fefd7d4111 11 bytes [B8, F9, 9B, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!FtpOpenFileW + 1 000007fefd7d4221 11 bytes [B8, 79, 83, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!FtpPutFileW + 1 000007fefd7d4421 11 bytes [B8, 79, 9F, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!HttpSendRequestExA + 1 000007fefd7e8681 11 bytes [B8, B9, 8F, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WININET.dll!HttpOpenRequestA + 1 000007fefd7eb0f1 11 bytes [B8, B9, 88, 59, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe[2288] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000009b0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2428] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000d10179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000043c0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000038a1401 2 bytes JMP 76a5b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000038a1419 2 bytes JMP 76a5b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000038a1431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000038a144a 2 bytes CALL 76a3489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000038a14dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000038a14f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000038a150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000038a1525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000038a153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000038a1555 2 bytes JMP 76a568ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000038a156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000038a1585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000038a159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000038a15b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000038a15cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000038a16b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2500] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000038a16bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2584] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 53, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, CB, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 51, 5A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, C9, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, FA, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 27, 5A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, FC, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 50, 5A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, E1, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 58, 5A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, F1, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 57, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, F8, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, F5, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, EE, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, D0, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 29, 5A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 4E, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, FD, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, CE, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, CC, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, EA, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 47, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 4C, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 49, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 4A, 5A, 75] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, 39, 5E, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 34, 5A, 75, 00, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 5F, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 40, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2608] C:\Windows\system32\OPENGL32.dll!wglMakeCurrent 000007fef3de54b0 12 bytes [48, B8, B9, 9D, 59, 75, 00, ...] .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000001260179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 00000000005d2b50 5 bytes JMP 00000000756693d1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000000611130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000000611910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 000000000068e650 5 bytes JMP 0000000075667c11 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 000000000068e7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175667b79 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175667291 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2640] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 0000000175661c79 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175661d11 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662989 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175661851 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175664739 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175664609 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175664d29 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 0000000175662859 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756654e1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175662ab9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175662691 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175662561 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175665579 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175664869 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175665611 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756621d1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175664999 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175661721 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 00000001756617b9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000003a1401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000003a1419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000003a1431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000003a144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000003a14dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000003a14f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000003a150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000003a1525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000003a153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000003a1555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000003a156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000003a1585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000003a159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000003a15b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000003a15cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000003a16b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000003a16bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\urlmon.DLL!CreateUri + 128 0000000004da2b50 5 bytes JMP 0000000075665741 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\urlmon.DLL!URLDownloadToCacheFileW 0000000004de1130 5 bytes JMP 0000000075664019 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\urlmon.DLL!URLDownloadToFileW 0000000004de1910 5 bytes JMP 0000000075663ee9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\urlmon.DLL!URLDownloadToCacheFileA 0000000004e5e650 5 bytes JMP 0000000075663f81 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\urlmon.DLL!URLDownloadToFileA 0000000004e5e7a0 5 bytes JMP 0000000075663e51 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175663699 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175663991 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175663731 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 00000001756637c9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175663861 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 00000001756641e1 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175664149 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756638f9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2724] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2884] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 00000000055f2b50 5 bytes JMP 0000000075669339 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000005631130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000005631910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 00000000056ae650 5 bytes JMP 0000000075667c11 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 00000000056ae7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175667b79 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175667291 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000005760179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000005181401 2 bytes JMP 76a5b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000005181419 2 bytes JMP 76a5b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000005181431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000518144a 2 bytes CALL 76a3489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000051814dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000051814f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000518150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000005181525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000518153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000005181555 2 bytes JMP 76a568ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000518156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000005181585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000518159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000051815b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000051815cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000051816b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TechSmith\Jing\Jing.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000051816bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 00000001756656a9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175667c11 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000009e0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000003c1401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000003c1419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000003c1431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000003c144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000003c14dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000003c14f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000003c150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000003c1525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000003c153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000003c1555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000003c156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000003c1585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000003c159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000003c15b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000003c15cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000003c16b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000003c16bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, F0, 12, C2, 02] .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 0000000175661c79 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175661d11 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662989 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175664999 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175661851 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756621d1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175661721 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 00000001756617b9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 00000001756654e1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175664869 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175664739 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175664609 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175664d29 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 0000000175662859 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175665579 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175662691 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175662561 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000001af2b50 5 bytes JMP 0000000075665611 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000001b31130 5 bytes JMP 0000000075664019 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000001b31910 5 bytes JMP 0000000075663ee9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 0000000001bae650 5 bytes JMP 0000000075663f81 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000001bae7a0 5 bytes JMP 0000000075663e51 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175663699 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175663991 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175663731 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 00000001756637c9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175663861 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 00000001756641e1 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175664149 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756638f9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000003221401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000003221419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000003221431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000322144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000032214dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000032214f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000322150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000003221525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000322153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000003221555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000322156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000003221585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000322159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000032215b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000032215cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000032216b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Total CMA Pack\TOTALCMD.EXE[1280] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000032216bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSMonitorServicePDVD14.exe[2848] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076a38781 5 bytes JMP 0000000173981000 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 00000001756656a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175667c11 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000006c0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000002d1401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000002d1419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000002d1431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000002d144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000002d14dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000002d14f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000002d150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000002d1525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000002d153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000002d1555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000002d156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000002d1585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000002d159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000002d15b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000002d15cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000002d16b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000002d16bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175666a41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175666ad9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 00000001756669a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175667031 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175666dd1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175666f01 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175666b71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175666ca1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\WINHTTP.dll!WinHttpCloseHandle 0000000069142c01 5 bytes JMP 0000000075665579 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\WINHTTP.dll!WinHttpOpenRequest 0000000069144aea 5 bytes JMP 00000000756654e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\SysWOW64\WINHTTP.dll!WinHttpConnect 000000006914d9f5 5 bytes JMP 0000000075665611 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000003cd2b50 5 bytes JMP 0000000075668c19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000003d11130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000003d11910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 0000000003d8e650 5 bytes JMP 0000000075667291 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe[3088] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000003d8e7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b51401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b51419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b51431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b5144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b514dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b514f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b5150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b51525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b5153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b51555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b5156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b51585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b5159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b515b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b515cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b516b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b516bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000a50179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 00000000052f2b50 5 bytes JMP 0000000075668a51 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000005331130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000005331910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 00000000053ae650 5 bytes JMP 0000000075667291 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 00000000053ae7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175666a41 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175666ad9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 00000001756669a9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175667031 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175666dd1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175666f01 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175666b71 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175666ca1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[3160] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000005410179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000004481401 2 bytes JMP 76a5b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000004481419 2 bytes JMP 76a5b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000004481431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000448144a 2 bytes CALL 76a3489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000044814dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000044814f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000448150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000004481525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000448153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000004481555 2 bytes JMP 76a568ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000448156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000004481585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000448159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000044815b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000044815cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000044816b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000044816bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 00000000068d2b50 5 bytes JMP 0000000075669469 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000006911130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000006911910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 000000000698e650 5 bytes JMP 0000000075667c11 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 000000000698e7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175667b79 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175667291 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\Unified Remote\RemoteServer.exe[3224] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667ae1 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, F9, 19, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[3280] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3336] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb0622e0 12 bytes [48, B8, F9, A2, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb0645f8 12 bytes [48, B8, 39, A1, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] c:\windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb073e3c 12 bytes [48, B8, B9, A4, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, CB, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, C9, 59, 75, 00, ...] .text C:\Windows\System32\svchost.exe[3336] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, C7, 59, 75, 00, ...] .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe[3420] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 0000000175661c79 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175661d11 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662989 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175661851 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 00000001756654e1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175664869 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175665579 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756621d1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175664999 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175661721 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 00000001756617b9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175664739 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175664609 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175664d29 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 0000000175662859 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175665611 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175662ab9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175662691 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175662561 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\URLMON.DLL!CreateUri + 128 0000000003672b50 5 bytes JMP 00000000756656a9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\URLMON.DLL!URLDownloadToCacheFileW 00000000036b1130 5 bytes JMP 0000000075664019 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\URLMON.DLL!URLDownloadToFileW 00000000036b1910 5 bytes JMP 0000000075663ee9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\URLMON.DLL!URLDownloadToCacheFileA 000000000372e650 5 bytes JMP 0000000075663f81 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\URLMON.DLL!URLDownloadToFileA 000000000372e7a0 5 bytes JMP 0000000075663e51 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175663699 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175663991 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175663731 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 00000001756637c9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175663861 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 00000001756641e1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175664149 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756638f9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000005d71401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000005d71419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000005d71431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000005d7144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000005d714dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000005d714f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000005d7150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000005d71525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000005d7153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000005d71555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000005d7156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000005d71585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000005d7159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000005d715b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000005d715cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000005d716b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000005d716bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, 39, 42, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\HPSIsvc.exe[3992] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000041b0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000003a12b50 5 bytes JMP 0000000075668a51 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000003a51130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000003a51910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 0000000003ace650 5 bytes JMP 0000000075667291 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000003ace7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175666a41 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175666ad9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 00000001756669a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175667031 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175666dd1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175666f01 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175666b71 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175666ca1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!closesocket 0000000076153918 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 00000001756656a9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!WSARecv 0000000076157089 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175667c11 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[4060] C:\Windows\syswow64\ws2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076a38781 5 bytes JMP 0000000173981000 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000700179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000005b1401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000005b1419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000005b1431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000005b144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000005b14dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000005b14f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000005b150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000005b1525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000005b153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000005b1555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000005b156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000005b1585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000005b159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000005b15b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000005b15cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000005b16b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000005b16bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175666a41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175666ad9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 00000001756669a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175667031 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175666dd1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175666f01 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175666b71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175666ca1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000004192b50 5 bytes JMP 0000000075668ae9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 00000000041d1130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 00000000041d1910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 000000000424e650 5 bytes JMP 0000000075667291 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 000000000424e7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 00000001756656a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175667c11 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe[1936] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 53, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, CB, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 51, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, C9, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, FA, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 27, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, FC, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 50, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, E1, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 58, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, F1, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 57, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, F8, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, F5, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, EE, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, D0, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 29, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 4E, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, FD, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, CE, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, CC, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, EA, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, C7, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, C5, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, C4, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, F9, 3C, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, A8, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, C2, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, AB, 59, 75, 00] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, B9, 61, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 40, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 47, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 4C, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 49, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 4A, 5A, 75] .text ... * 2 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, 79, 63, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 34, 5A, 75, 00, 00] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetCloseHandle + 1 000007fefd6b3fa1 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!HttpOpenRequestW + 1 000007fefd6b5441 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetConnectW + 1 000007fefd6bb581 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!HttpSendRequestW + 1 000007fefd6bc5a1 11 bytes [B8, 79, 16, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetReadFile + 1 000007fefd6bd941 11 bytes [B8, 79, 01, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!HttpSendRequestExW + 1 000007fefd6f8a01 11 bytes [B8, F9, 19, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetWriteFile + 1 000007fefd6f8eb1 11 bytes [B8, B9, FF, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetOpenW + 1 000007fefd718b91 11 bytes [B8, F9, 04, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefd718d30 12 bytes [48, B8, 39, 03, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!HttpSendRequestA + 1 000007fefd75de71 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetConnectA + 1 000007fefd7be951 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetOpenUrlA + 1 000007fefd7bed41 11 bytes [B8, B9, 06, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!InternetOpenUrlW + 1 000007fefd7bf9f1 11 bytes [B8, 79, 08, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!FtpGetFileA 000007fefd7d0210 12 bytes [48, B8, 39, 1F, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!FtpOpenFileA + 1 000007fefd7d06c1 11 bytes [B8, 39, 0A, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!FtpPutFileA 000007fefd7d07a0 12 bytes [48, B8, B9, 22, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!FtpGetFileW + 1 000007fefd7d4111 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!FtpOpenFileW + 1 000007fefd7d4221 11 bytes [B8, F9, 0B, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!FtpPutFileW + 1 000007fefd7d4421 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!HttpSendRequestExA + 1 000007fefd7e8681 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[4184] C:\Windows\system32\WININET.dll!HttpOpenRequestA + 1 000007fefd7eb0f1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, 39, 0A, 5A, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 79, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4392] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4452] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000006f0179 5 bytes JMP 0000000075664d29 .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 5 bytes [48, B8, F0, 12, FF] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[4496] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076dcb851 11 bytes [B8, F0, 12, 83, 01, 00, 00, ...] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000ce0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000000c1401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000000c1419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000000c1431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000000c144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000000c14dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000000c14f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000000c150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000000c1525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000000c153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000000c1555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000000c156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000000c1585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000000c159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000000c15b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000000c15cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000000c16b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000000c16bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 0000000175667b79 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175667291 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000003bb2b50 5 bytes JMP 0000000075669469 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000003bf1130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000003bf1910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 0000000003c6e650 5 bytes JMP 0000000075667c11 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000003c6e7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4556] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000001640179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000000711401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000000711419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000000711431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 000000000071144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 00000000007114dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 00000000007114f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 000000000071150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000000711525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 000000000071153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000000711555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 000000000071156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000000711585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 000000000071159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 00000000007115b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 00000000007115cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 00000000007116b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[4632] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 00000000007116bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007704f974 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007704fe14 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007704fff0 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770507e8 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 00000001756666b1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077051dd8 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666f01 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666ca1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666b71 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666dd1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175667031 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666a41 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669339 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 00000001756693d1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 1 byte JMP 0000000175668591 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes + 2 0000000075f3868f 3 bytes {JMP 0xffffffffff72ff04} .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175669469 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000005640179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000c51401 2 bytes JMP 76a5b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000c51419 2 bytes JMP 76a5b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000c51431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000000c5144a 2 bytes CALL 76a3489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000000c514dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000000c514f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000000c5150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000c51525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000000c5153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000c51555 2 bytes JMP 76a568ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000000c5156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000c51585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000000c5159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000000c515b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000000c515cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000000c516b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000000c516bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007704f974 5 bytes JMP 0000000175669209 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 00000001756661f1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668de1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 0000000175666159 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007704fe14 5 bytes JMP 0000000175669171 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007704fff0 5 bytes JMP 00000001756692a1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770507e8 5 bytes JMP 00000001756690d9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668d49 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077051dd8 5 bytes JMP 0000000175669339 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668f11 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668e79 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 0000000175666321 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668cb1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 00000001756660c1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 0000000175666029 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175669469 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175669501 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175669599 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175666581 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175666451 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175669041 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668fa9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 0000000175665d31 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\user32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175669631 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3256] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 53, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e9dc30 6 bytes [48, B8, B9, 61, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e9dc38 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, CB, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 51, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, C9, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e9df20 6 bytes [48, B8, F9, 5F, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e9df28 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, FA, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 27, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e9e050 6 bytes [48, B8, 79, 63, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e9e058 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, FC, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e9e1b0 6 bytes [48, B8, F9, 66, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e9e1b8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e9e580 6 bytes [48, B8, 39, 5E, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e9e588 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 50, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, E1, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e9f3a0 6 bytes [48, B8, 39, 65, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e9f3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 58, 5A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, F1, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 57, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, F8, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, F5, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, EE, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, D0, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 29, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 4E, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, FD, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, CE, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, CC, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, EA, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, C7, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, C5, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, C4, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, F9, 3C, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, A8, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, C2, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, AB, 59, 75, 00] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, F9, 35, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 6C, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 3E, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 40, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 43, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 47, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 4C, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 49, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 4A, 5A, 75] .text ... * 2 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, F9, 6D, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 34, 5A, 75, 00, 00] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetCloseHandle + 1 000007fefd6b3fa1 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!HttpOpenRequestW + 1 000007fefd6b5441 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetConnectW + 1 000007fefd6bb581 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!HttpSendRequestW + 1 000007fefd6bc5a1 11 bytes [B8, 79, 16, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetReadFile + 1 000007fefd6bd941 11 bytes [B8, 79, 01, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!HttpSendRequestExW + 1 000007fefd6f8a01 11 bytes [B8, F9, 19, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetWriteFile + 1 000007fefd6f8eb1 11 bytes [B8, B9, FF, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetOpenW + 1 000007fefd718b91 11 bytes [B8, F9, 04, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefd718d30 12 bytes [48, B8, 39, 03, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!HttpSendRequestA + 1 000007fefd75de71 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetConnectA + 1 000007fefd7be951 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetOpenUrlA + 1 000007fefd7bed41 11 bytes [B8, B9, 06, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!InternetOpenUrlW + 1 000007fefd7bf9f1 11 bytes [B8, 79, 08, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!FtpGetFileA 000007fefd7d0210 12 bytes [48, B8, 39, 1F, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!FtpOpenFileA + 1 000007fefd7d06c1 11 bytes [B8, 39, 0A, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!FtpPutFileA 000007fefd7d07a0 12 bytes [48, B8, B9, 22, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!FtpGetFileW + 1 000007fefd7d4111 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!FtpOpenFileW + 1 000007fefd7d4221 11 bytes [B8, F9, 0B, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!FtpPutFileW + 1 000007fefd7d4421 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!HttpSendRequestExA + 1 000007fefd7e8681 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\WININET.dll!HttpOpenRequestA + 1 000007fefd7eb0f1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefd9780b0 12 bytes [48, B8, B9, 65, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefd979641 11 bytes [B8, F9, 63, 59, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA 000007fefda01370 12 bytes [48, B8, 79, 1D, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefda014f0 12 bytes [48, B8, B9, 1B, 5A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, E7, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, E5, 59, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[4328] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, E3, 59, 75, 00, ...] .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007704f974 5 bytes JMP 0000000175668889 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 0000000175668461 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007704fe14 5 bytes JMP 00000001756687f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007704fff0 5 bytes JMP 0000000175668921 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770507e8 5 bytes JMP 0000000175668759 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 00000001756683c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077051dd8 5 bytes JMP 00000001756689b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668591 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 00000001756684f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 0000000175667751 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 00000001756677e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 00000001756676b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 0000000175668331 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175668a51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 00000001756686c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 0000000175668629 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667f09 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668ae9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667dd9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667e71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175667fa1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175668b81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 00000001756679b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667881 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 00000001756680d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668299 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 0000000175667919 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668201 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 0000000175668039 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668169 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668c19 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667a49 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000007a0179 5 bytes JMP 0000000075664d29 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000076574f30 5 bytes JMP 00000001756671f9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetWriteFile 00000000765750b0 5 bytes JMP 0000000175666911 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetOpenA 000000007659bca0 5 bytes JMP 0000000175666a41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetOpenW 000000007659c230 5 bytes JMP 0000000175666ad9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 00000000765d3410 5 bytes JMP 0000000175667589 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 00000000765d72a0 5 bytes JMP 0000000175666f99 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 00000000765d9f60 5 bytes JMP 00000001756670c9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetConnectW 00000000765daec0 5 bytes JMP 0000000175666e69 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetReadFile 00000000765e34e0 5 bytes JMP 00000001756669a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 00000000765e88b0 5 bytes JMP 0000000175667031 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetConnectA 00000000765ed340 5 bytes JMP 0000000175666dd1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 00000000765ed3d0 5 bytes JMP 0000000175666f01 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000076646060 5 bytes JMP 0000000175666b71 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000076646ba0 5 bytes JMP 0000000175666c09 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!FtpGetFileA 00000000766549a0 5 bytes JMP 0000000175667329 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000076654d60 5 bytes JMP 0000000175666ca1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000076654df0 5 bytes JMP 0000000175667459 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000076657ec0 5 bytes JMP 00000001756673c1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000076657f60 5 bytes JMP 0000000175666d39 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!FtpPutFileW 00000000766580c0 5 bytes JMP 00000001756674f1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 000000007666a590 5 bytes JMP 0000000175667161 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000003402b50 5 bytes JMP 0000000075668de1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000003441130 5 bytes JMP 0000000075664149 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000003441910 5 bytes JMP 00000000756621d1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 00000000034be650 5 bytes JMP 0000000075667291 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 00000000034be7a0 5 bytes JMP 0000000075662ab9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076153918 5 bytes JMP 0000000175665741 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076153cd3 5 bytes JMP 00000001756656a9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!socket 0000000076153eb8 5 bytes JMP 0000000175667ae1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076154406 5 bytes JMP 0000000175662139 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076154889 5 bytes JMP 0000000175664dc1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!recv 0000000076156b0e 5 bytes JMP 0000000175667ca9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!connect 0000000076156bdd 1 byte JMP 00000001756641e1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076156bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!send 0000000076156f01 5 bytes JMP 00000001756620a1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076157089 5 bytes JMP 0000000175667d41 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007615cc3f 5 bytes JMP 0000000175667c11 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007615d1ea 5 bytes JMP 0000000175664e59 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076167673 5 bytes JMP 0000000175664ef1 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000004011401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000004011419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000004011431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000401144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000040114dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000040114f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000401150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000004011525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000401153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000004011555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000401156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000004011585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000401159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000040115b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000040115cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000040116b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CyberLink\PowerDVD14\Common\CLMPSvc.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000040116bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e9dc30 6 bytes [48, B8, B9, 45, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e9dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e9df20 6 bytes [48, B8, F9, 43, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e9df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e9e050 6 bytes [48, B8, 79, 47, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e9e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e9e1b0 6 bytes [48, B8, F9, 4A, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e9e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e9e580 6 bytes [48, B8, 39, 42, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e9e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e9f3a0 6 bytes [48, B8, 39, 49, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e9f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 39, 50, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[5920] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, F9, 0B, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, B9, 0D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, 39, E0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, 39, 2D, 5A, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 45, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 79, 16, 5A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 79, 47, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, 39, 18, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5488] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e9dc30 6 bytes [48, B8, B9, 45, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e9dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e9df20 6 bytes [48, B8, F9, 43, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e9df28 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e9e050 6 bytes [48, B8, 79, 47, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e9e058 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e9e1b0 6 bytes [48, B8, F9, 4A, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e9e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e9e580 6 bytes [48, B8, 39, 42, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e9e588 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e9f3a0 6 bytes [48, B8, 39, 49, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e9f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 79, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, 39, 50, 5A, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\SYSTEM32\WISPTIS.EXE[6800] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e9dc30 6 bytes [48, B8, B9, 45, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e9dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e9df20 6 bytes [48, B8, F9, 43, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e9df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e9e050 6 bytes [48, B8, 79, 47, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e9e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e9e1b0 6 bytes [48, B8, F9, 4A, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e9e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e9e580 6 bytes [48, B8, 39, 42, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e9e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e9f3a0 6 bytes [48, B8, 39, 49, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e9f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 79, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, F9, 51, 5A, 75, 00, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\prevhost.exe[7068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, 79, 39, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e9dc10 6 bytes [48, B8, B9, 0D, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 0000000076e9dc18 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e9dc30 6 bytes [48, B8, 79, 47, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e9dc38 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, B9, 37, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e9df20 6 bytes [48, B8, B9, 45, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e9df28 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e9e050 6 bytes [48, B8, 39, 49, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e9e058 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e9e1b0 6 bytes [48, B8, B9, 4C, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e9e1b8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e9e580 6 bytes [48, B8, F9, 43, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e9e588 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e9f3a0 6 bytes [48, B8, F9, 4A, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e9f3a8 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, B9, 3E, 5A, 75] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, F9, 3C, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, 79, 0F, 5A, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 39, 34, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, B9, 1B, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, F9, 51, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 39, 26, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetCloseHandle + 1 000007fefd6b3fa1 11 bytes [B8, 39, 0A, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!HttpOpenRequestW + 1 000007fefd6b5441 11 bytes [B8, F9, F6, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetConnectW + 1 000007fefd6bb581 11 bytes [B8, 79, F3, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!HttpSendRequestW + 1 000007fefd6bc5a1 11 bytes [B8, 79, FA, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetReadFile + 1 000007fefd6bd941 11 bytes [B8, 79, E5, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!HttpSendRequestExW + 1 000007fefd6f8a01 11 bytes [B8, F9, FD, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetWriteFile + 1 000007fefd6f8eb1 11 bytes [B8, B9, E3, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetOpenW + 1 000007fefd718b91 11 bytes [B8, F9, E8, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefd718d30 12 bytes [48, B8, 39, E7, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!HttpSendRequestA + 1 000007fefd75de71 11 bytes [B8, B9, F8, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetConnectA + 1 000007fefd7be951 11 bytes [B8, B9, F1, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetOpenUrlA + 1 000007fefd7bed41 11 bytes [B8, B9, EA, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!InternetOpenUrlW + 1 000007fefd7bf9f1 11 bytes [B8, 79, EC, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!FtpGetFileA 000007fefd7d0210 12 bytes [48, B8, 39, 03, 5A, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!FtpOpenFileA + 1 000007fefd7d06c1 11 bytes [B8, 39, EE, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!FtpPutFileA 000007fefd7d07a0 12 bytes [48, B8, B9, 06, 5A, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!FtpGetFileW + 1 000007fefd7d4111 11 bytes [B8, F9, 04, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!FtpOpenFileW + 1 000007fefd7d4221 11 bytes [B8, F9, EF, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!FtpPutFileW + 1 000007fefd7d4421 11 bytes [B8, 79, 08, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!HttpSendRequestExA + 1 000007fefd7e8681 11 bytes [B8, 39, FC, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\WININET.dll!HttpOpenRequestA + 1 000007fefd7eb0f1 11 bytes [B8, 39, F5, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, 79, 16, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, F9, 2E, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, B9, 30, 5A, 75] .text ... * 2 .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, 79, 55, 5A, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, F9, 19, 5A, 75, 00, 00] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\advapi32.DLL!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefdf6dd61 11 bytes [B8, 79, 8A, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc2656e0 12 bytes [48, B8, 39, CB, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc27010c 12 bytes [48, B8, 79, C9, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc28daa0 12 bytes [48, B8, B9, C7, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefd9780b0 12 bytes [48, B8, B9, 65, 59, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefd979641 11 bytes [B8, F9, 63, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA 000007fefda01370 12 bytes [48, B8, 79, 01, 5A, 75, 00, ...] .text C:\Users\KO\Downloads\FRST64.exe[6128] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefda014f0 12 bytes [48, B8, B9, FF, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e9dc30 6 bytes [48, B8, B9, 45, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e9dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e9df20 6 bytes [48, B8, F9, 43, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e9df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e9e050 6 bytes [48, B8, 79, 47, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e9e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e9e1b0 6 bytes [48, B8, F9, 4A, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e9e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e9e580 6 bytes [48, B8, 39, 42, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e9e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e9f3a0 6 bytes [48, B8, 39, 49, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e9f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 4C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 79, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3324] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076e78731 11 bytes [B8, B9, 37, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076e86761 7 bytes [B8, 39, 69, 59, 75, 00, 00] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076e8676a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e9dc30 6 bytes [48, B8, B9, 45, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076e9dc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e9dca0 6 bytes [48, B8, 79, C2, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076e9dca8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076e9dd70 6 bytes [48, B8, 39, AF, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076e9dd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076e9ddc0 6 bytes [48, B8, F9, 35, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076e9ddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e9de10 6 bytes [48, B8, F9, 32, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076e9de18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e9de30 6 bytes [48, B8, 39, 1C, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076e9de38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e9de50 6 bytes [48, B8, F9, 1D, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076e9de58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e9de70 6 bytes [48, B8, 79, AD, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076e9de78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e9df20 6 bytes [48, B8, F9, 43, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076e9df28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e9df50 6 bytes [48, B8, 79, 2F, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076e9df58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e9df70 6 bytes [48, B8, 79, 36, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076e9df78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e9dfc0 6 bytes [48, B8, 79, DE, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076e9dfc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e9e000 6 bytes [48, B8, B9, 34, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076e9e008 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e9e030 6 bytes [48, B8, F9, 0B, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076e9e038 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e9e050 6 bytes [48, B8, 79, 47, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076e9e058 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076e9e080 6 bytes [48, B8, 39, 2A, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076e9e088 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e9e090 6 bytes [48, B8, B9, 26, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076e9e098 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e9e100 6 bytes [48, B8, 39, E0, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076e9e108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e9e1b0 6 bytes [48, B8, F9, 4A, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076e9e1b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e9e580 6 bytes [48, B8, 39, 42, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076e9e588 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076e9e5d0 6 bytes [48, B8, 79, 28, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076e9e5d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e9e630 6 bytes [48, B8, F9, 24, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076e9e638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e9e9a0 6 bytes [48, B8, 39, C4, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076e9e9a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076e9eb70 6 bytes [48, B8, 39, 34, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076e9eb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076e9eee0 6 bytes [48, B8, 79, 83, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076e9eee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e9f0e0 6 bytes [48, B8, 39, 31, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076e9f0e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e9f2a0 6 bytes [48, B8, F9, C5, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076e9f2a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e9f380 6 bytes [48, B8, 79, 3D, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076e9f388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e9f390 6 bytes [48, B8, B9, 3B, 59, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076e9f398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e9f3a0 6 bytes [48, B8, 39, 49, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076e9f3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e9f480 6 bytes [48, B8, F9, 3C, 5A, 75] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076e9f488 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f0ed21 11 bytes [B8, 39, 85, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076d31b21 11 bytes [B8, B9, C0, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076d31c10 12 bytes [48, B8, F9, 39, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076d32b61 8 bytes [B8, B9, D5, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076d32b6a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d4dbc0 12 bytes [48, B8, B9, 2D, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076d50941 11 bytes [B8, 39, 3B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d85321 11 bytes [B8, B9, 7A, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d85341 11 bytes [B8, 39, 77, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d9a650 12 bytes [48, B8, B9, 81, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d9a760 12 bytes [48, B8, 39, 7E, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076dbf501 11 bytes [B8, B9, DC, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076dbf701 11 bytes [B8, 39, D9, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076dbf731 8 bytes [B8, 39, D2, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076dbf73a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcc31861 11 bytes [B8, 79, 52, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcc32db1 11 bytes [B8, 79, B4, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcc33461 11 bytes [B8, 39, B6, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcc350d1 11 bytes [B8, 39, 11, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcc35370 12 bytes [48, B8, B9, 0D, 5A, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcc35eb1 11 bytes [B8, 79, 0F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcc38f20 12 bytes [48, B8, B9, 50, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcc397a1 11 bytes [B8, 79, 32, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcc3a0e1 11 bytes [B8, F9, E1, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcc3aec0 12 bytes [48, B8, B9, B2, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcc3ca31 11 bytes [B8, F9, B0, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcc437d1 11 bytes [B8, F9, 4E, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcc64310 12 bytes [48, B8, B9, 42, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcc70bd1 11 bytes [B8, B9, CE, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcc72831 8 bytes [B8, 39, 23, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcc7283a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcc72871 11 bytes [B8, F9, 40, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefdbaae81 11 bytes [B8, 79, 2B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefdbaaee1 11 bytes [B8, F9, 12, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefdbae6e9 11 bytes [B8, B9, 30, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefdbb048d 11 bytes [B8, B9, 14, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefdbb0579 11 bytes [B8, B9, 29, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefdbb05b1 11 bytes [B8, 39, 2D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefdbb05f9 5 bytes [B8, F9, 2E, 5A, 75] .text ... * 2 .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefdbc4e21 11 bytes [B8, B9, 4C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefdbc5538 12 bytes [48, B8, B9, 6C, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefdbdb9c1 7 bytes [B8, 39, 18, 5A, 75, 00, 00] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefdbdb9ca 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefdbdba4c 12 bytes [48, B8, F9, 6A, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefdbdbbc0 12 bytes [48, B8, 79, 60, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefdbdbc2c 12 bytes [48, B8, B9, 5E, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd14642d 11 bytes [B8, 39, 5B, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd146484 12 bytes [48, B8, F9, 55, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd146519 11 bytes [B8, 39, 62, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd146c34 12 bytes [48, B8, 39, 54, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd147ab5 11 bytes [B8, F9, 5C, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd148b01 11 bytes [B8, B9, 57, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd148c39 11 bytes [B8, 79, 59, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefcfcb031 11 bytes [B8, 79, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefcfe4991 11 bytes [B8, B9, 22, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefcfe49b1 11 bytes [B8, 79, 24, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefcff9209 11 bytes [B8, F9, 27, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefdf6dd61 11 bytes [B8, 79, 8A, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefd4613b1 11 bytes [B8, B9, AB, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4618e0 12 bytes [48, B8, F9, A9, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefd461bd1 11 bytes [B8, 39, A8, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefd462201 11 bytes [B8, F9, 20, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefd4623c0 12 bytes [48, B8, 39, 8C, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!connect 000007fefd4645c0 12 bytes [48, B8, 79, 67, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!send + 1 000007fefd468001 11 bytes [B8, 79, A6, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefd468df0 7 bytes [48, B8, B9, 8F, 59, 75, 00] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefd468df9 3 bytes [00, 50, C3] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefd46c090 12 bytes [48, B8, F9, 8D, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefd46de91 11 bytes [B8, F9, 19, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefd46df41 11 bytes [B8, 39, 1F, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefd48e0f1 11 bytes [B8, 79, 1D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefd9780b0 12 bytes [48, B8, B9, 65, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefd979641 11 bytes [B8, F9, 63, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA 000007fefda01370 12 bytes [48, B8, 79, 01, 5A, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefda014f0 12 bytes [48, B8, B9, FF, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetCloseHandle + 1 000007fefd6b3fa1 11 bytes [B8, 39, 0A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!HttpOpenRequestW + 1 000007fefd6b5441 11 bytes [B8, F9, F6, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetConnectW + 1 000007fefd6bb581 11 bytes [B8, 79, F3, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!HttpSendRequestW + 1 000007fefd6bc5a1 11 bytes [B8, 79, FA, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetReadFile + 1 000007fefd6bd941 11 bytes [B8, 79, E5, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!HttpSendRequestExW + 1 000007fefd6f8a01 11 bytes [B8, F9, FD, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetWriteFile + 1 000007fefd6f8eb1 11 bytes [B8, B9, E3, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetOpenW + 1 000007fefd718b91 11 bytes [B8, F9, E8, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefd718d30 12 bytes [48, B8, 39, E7, 59, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!HttpSendRequestA + 1 000007fefd75de71 11 bytes [B8, B9, F8, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetConnectA + 1 000007fefd7be951 11 bytes [B8, B9, F1, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetOpenUrlA + 1 000007fefd7bed41 11 bytes [B8, B9, EA, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!InternetOpenUrlW + 1 000007fefd7bf9f1 11 bytes [B8, 79, EC, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!FtpGetFileA 000007fefd7d0210 12 bytes [48, B8, 39, 03, 5A, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!FtpOpenFileA + 1 000007fefd7d06c1 11 bytes [B8, 39, EE, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!FtpPutFileA 000007fefd7d07a0 12 bytes [48, B8, B9, 06, 5A, 75, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!FtpGetFileW + 1 000007fefd7d4111 11 bytes [B8, F9, 04, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!FtpOpenFileW + 1 000007fefd7d4221 11 bytes [B8, F9, EF, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!FtpPutFileW + 1 000007fefd7d4421 11 bytes [B8, 79, 08, 5A, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!HttpSendRequestExA + 1 000007fefd7e8681 11 bytes [B8, 39, FC, 59, 75, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5092] C:\Windows\system32\WININET.dll!HttpOpenRequestA + 1 000007fefd7eb0f1 11 bytes [B8, 39, F5, 59, 75, 00, 00, ...] .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007704f93c 5 bytes JMP 00000001756676b9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007704f974 5 bytes JMP 0000000175668921 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007704fa2c 5 bytes JMP 0000000175665e61 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007704fb74 5 bytes JMP 0000000175665871 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007704fbf4 5 bytes JMP 00000001756684f9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007704fc6c 5 bytes JMP 00000001756631d9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007704fc9c 5 bytes JMP 00000001756615f1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007704fccc 5 bytes JMP 0000000175661689 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007704fcfc 5 bytes JMP 00000001756657d9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007704fe14 5 bytes JMP 0000000175668889 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007704fe60 5 bytes JMP 00000001756630a9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007704fe90 5 bytes JMP 0000000175663309 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007704ff0c 5 bytes JMP 00000001756667e1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007704ff70 5 bytes JMP 0000000175663271 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007704ffc0 5 bytes JMP 0000000175667621 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007704fff0 5 bytes JMP 00000001756689b9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077050038 5 bytes JMP 0000000175662ee1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077050050 5 bytes JMP 0000000175662db1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077050100 5 bytes JMP 0000000175661ed9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077050210 5 bytes JMP 0000000175662301 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770507e8 5 bytes JMP 00000001756687f1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077050860 5 bytes JMP 0000000175662e49 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770508f0 5 bytes JMP 0000000175662d19 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077050e40 5 bytes JMP 0000000175665ef9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 000000007705110c 5 bytes JMP 0000000175668461 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077051650 5 bytes JMP 0000000175664ac9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007705196c 5 bytes JMP 0000000175663141 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077051c30 5 bytes JMP 0000000175665f91 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077051da0 5 bytes JMP 0000000175663439 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077051dbc 5 bytes JMP 00000001756633a1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077051dd8 5 bytes JMP 0000000175668a51 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077051f34 5 bytes JMP 0000000175668629 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077064964 5 bytes JMP 0000000175661ab1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077070fe1 5 bytes JMP 0000000175668591 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077090f4b 5 bytes JMP 0000000175662009 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000770d88cf 5 bytes JMP 0000000175664b61 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000770deb6b 5 bytes JMP 0000000175661f71 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000175661da9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000175662a21 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3498f 5 bytes JMP 00000001756625f9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bab 5 bytes JMP 0000000175663011 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a49aa4 5 bytes JMP 0000000175666749 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076a49b05 5 bytes JMP 00000001756664e9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000175662729 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000175665dc9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000076a5ccb1 5 bytes JMP 00000001756663b9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a5ccd1 5 bytes JMP 0000000175666619 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab3051 5 bytes JMP 00000001756628f1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad751b 5 bytes JMP 00000001756646a1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad753e 5 bytes JMP 00000001756647d1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad78e9 5 bytes JMP 0000000175664901 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad7962 5 bytes JMP 0000000175664a31 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076b68f8d 5 bytes JMP 0000000175661a19 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076b6c436 5 bytes JMP 0000000175663b59 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076b6d0af 5 bytes JMP 0000000175666879 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076b6eca6 5 bytes JMP 0000000175663601 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076b6f206 5 bytes JMP 0000000175662399 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076b6fa89 5 bytes JMP 0000000175661e41 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076b6fbb7 5 bytes JMP 0000000175666289 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076b71358 5 bytes JMP 0000000175663ac1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076b7137f 5 bytes JMP 0000000175663a29 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b71d29 5 bytes JMP 0000000175661981 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076b71e15 5 bytes JMP 00000001756624c9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b72ab1 5 bytes JMP 00000001756659a1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076b72cdf 5 bytes JMP 0000000175665909 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b72d1d 5 bytes JMP 0000000175665a39 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076b72e80 5 bytes JMP 00000001756618e9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076b73b76 5 bytes JMP 0000000175662269 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076b7449c 5 bytes JMP 0000000175662431 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076b7460e 5 bytes JMP 0000000175663569 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076b74637 5 bytes JMP 0000000175662c81 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076b7a217 5 bytes JMP 00000001756677e9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076b7a426 5 bytes JMP 0000000175667881 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076b7a500 5 bytes JMP 0000000175667751 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076b7c73a 5 bytes JMP 00000001756627c1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076b7e2a4 5 bytes JMP 00000001756683c9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076338e89 5 bytes JMP 0000000175667a49 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076339179 5 bytes JMP 0000000175667919 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076339186 5 bytes JMP 0000000175668169 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007633c4d2 5 bytes JMP 0000000175668331 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007633c9ec 5 bytes JMP 0000000175663c89 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007633deb4 5 bytes JMP 00000001756679b1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007633ded6 5 bytes JMP 0000000175668299 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007633deee 5 bytes JMP 00000001756680d1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007633df1e 5 bytes JMP 0000000175668201 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076342b50 5 bytes JMP 0000000175663bf1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000763435fc 5 bytes JMP 00000001756640b1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000007634494d 5 bytes JMP 0000000175668ae9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076357154 5 bytes JMP 0000000175664311 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!ControlService 000000007635716c 5 bytes JMP 0000000175663e51 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076357184 5 bytes JMP 0000000175663ee9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000763577cb 5 bytes JMP 0000000175667ae1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000763733bc 5 bytes JMP 0000000175663f81 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000763733cc 5 bytes JMP 0000000175664019 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000763733dc 5 bytes JMP 0000000175663d21 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000763733ec 5 bytes JMP 0000000175663db9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 000000007637342c 5 bytes JMP 0000000175664279 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000075d4a472 5 bytes JMP 0000000175668b81 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000075d527ce 5 bytes JMP 0000000175661be1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000075d5e6cf 5 bytes JMP 0000000175661b49 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000075f1633b 5 bytes JMP 0000000175668c19 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000075f3868d 5 bytes JMP 0000000175667e71 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000075f386ac 5 bytes JMP 0000000175667f09 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000075f440e9 5 bytes JMP 0000000175668039 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075e07e92 5 bytes JMP 0000000175664441 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075e0811b 5 bytes JMP 00000001756643a9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075e08b9a 5 bytes JMP 0000000175664f89 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075e0a5e6 5 bytes JMP 0000000175665021 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075e0ae99 5 bytes JMP 0000000175668cb1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075e0d205 5 bytes JMP 0000000175665c01 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075e0f0e6 5 bytes JMP 00000001756634d1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075e0fb43 5 bytes JMP 0000000175665ad1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075e0fc31 5 bytes JMP 0000000175665b69 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075e10112 5 bytes JMP 0000000175664571 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075e10dbe 5 bytes JMP 00000001756650b9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075e10f14 5 bytes JMP 0000000175668759 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075e11b4c 5 bytes JMP 0000000175665449 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075e13cbf 5 bytes JMP 00000001756686c1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 0000000075e15359 5 bytes JMP 0000000175667fa1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075e17b22 5 bytes JMP 00000001756653b1 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075e18364 5 bytes JMP 0000000175662b51 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075e206b3 5 bytes JMP 0000000175662be9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075e20a41 5 bytes JMP 0000000175665151 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075e22782 5 bytes JMP 00000001756651e9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075e2ed58 5 bytes JMP 00000001756644d9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075e2f006 5 bytes JMP 0000000175664bf9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075e30e99 5 bytes JMP 0000000175665c99 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075e30efc 5 bytes JMP 0000000175664c91 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075e5fe66 5 bytes JMP 0000000175665281 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075e5fe8a 5 bytes JMP 0000000175665319 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000002071401 2 bytes JMP 76a5b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000002071419 2 bytes JMP 76a5b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000002071431 2 bytes JMP 76ad8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000207144a 2 bytes CALL 76a3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000020714dd 2 bytes JMP 76ad8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000020714f5 2 bytes JMP 76ad89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000207150d 2 bytes JMP 76ad8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000002071525 2 bytes JMP 76ad8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000207153d 2 bytes JMP 76a4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000002071555 2 bytes JMP 76a568ef C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000207156d 2 bytes JMP 76ad8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000002071585 2 bytes JMP 76ad8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000207159d 2 bytes JMP 76ad86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000020715b5 2 bytes JMP 76a4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000020715cd 2 bytes JMP 76a5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000020716b2 2 bytes JMP 76ad8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\KO\Downloads\lf9evwp7.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000020716bd 2 bytes JMP 76ad8671 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b3f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b3cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b469c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b4a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b48f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa8006ba72c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 fffffa8006ba72c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8006ba72c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8006ba72c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-2 fffffa8006ba72c0 Device \FileSystem\Ntfs \Ntfs fffffa8006bab2c0 Device \Driver\dtsoftbus01 \Device\00000078 fffffa80074432c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa80076bf2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80076bf2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80074ea2c0 Device \Driver\cdrom \Device\CdRom1 fffffa80074ea2c0 Device \Driver\cdrom \Device\CdRom2 fffffa80074ea2c0 Device \Driver\dtsoftbus01 \Device\00000079 fffffa80074432c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa800771a2c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80076bf2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80076bf2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80074432c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa80076bf2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80076bf2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5FD09654-01C1-4942-AD66-55F3820378A2} fffffa80074f02c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80074f02c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa800771a2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8006ba72c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80076bf2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FFE167DD-9241-4ECB-9116-1819E188796C} fffffa80074f02c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80076bf2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8006ba72c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006ba72c0]<< sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8006ba72c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8007302060] fffffa8007302060 Trace 3 CLASSPNP.SYS[fffff88001cb443f] -> nt!IofCallDriver -> [0xfffffa80070f4e40] fffffa80070f4e40 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-2[0xfffffa80070f1060] fffffa80070f1060 Trace \Driver\atapi[0xfffffa80070876e0] -> IRP_MJ_CREATE -> 0xfffffa8006ba72c0 fffffa8006ba72c0 ---- Processes - GMER 2.1 ---- Library \\?\C:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [876] (FILE NOT FOUND) 000007fefb5e0000 Library \\?\C:\Program Files\Bitdefender\Bitdefender\bdnc.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [876] (FILE NOT FOUND) 000007fefb3e0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAA 0x14 0xCC 0x9B ... Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@CriticalSectionTimeout 2592000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@GlobalFlag 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitFreeBlockThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitTotalFreeThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentCommit 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentReserve 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProcessorControl 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ResourceTimeoutCount 648000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@BootExecute autocheck autochk *? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ExcludeFromKnownDlls Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ObjectDirectories \Windows?\RPC Control? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProtectionMode 1 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@NumberOfInitialSessions 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@SetupExecute Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAA 0x14 0xCC 0x9B ... ---- EOF - GMER 2.1 ----