GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-28 10:31:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000LPVX-08V0TT5 rev.05.01A05 465,76GB Running: lb248e0e.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\ugldypow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Bitdefender\Bitdefender 2017\vsserv.exe[888] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076fc9301 11 bytes [B8, F0, 12, 7C, 01, 00, 00, ...] .text C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe[1140] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076fc9301 11 bytes [B8, F0, 12, 87, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, D4, 24, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, AA, 38, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 40, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, D6, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 32, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 82, 3B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 74, 43, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6C, 3A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, DE, 42, F2, FF, FF, 07] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 44, 3E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, FC, 4A, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1940] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc5256e0 12 bytes [48, B8, AC, 4F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc53010c 12 bytes [48, B8, 16, 4F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc54daa0 12 bytes [48, B8, 80, 4E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fef5c322e0 12 bytes [48, B8, 6E, 51, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fef5c345f8 12 bytes [48, B8, D8, 50, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1940] c:\windows\system32\WINHTTP.dll!WinHttpConnect 000007fef5c43e3c 12 bytes [48, B8, 04, 52, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, FC, 4A, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\WLANExt.exe[2024] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 2 bytes [B8, 58] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 4 000007fefd3246c4 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 2 bytes [B8, EE] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 4 000007fefd3246e4 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 84, 29, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, CC, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, F4, 42, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 78, 47, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 8A, 43, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 62, 46, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 5E, 42, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, A0, 44, F2, FF, FF, 07] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, C8, 41, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 70, 3E, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, DA, 3D, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefc5256e0 12 bytes [48, B8, 42, 50, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefc53010c 12 bytes [48, B8, AC, 4F, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefc54daa0 12 bytes [48, B8, 16, 4F, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 92, 4B, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 80, 4E, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, D0, 49, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Windows\System32\spoolsv.exe[1560] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, C6, 2C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 4A, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 16, 27, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 08, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 2 bytes [B8, D4] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 68 000007fefeb40764 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 72, 2E, F2, FF, FF, 07] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, D8, 29, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, D4, 24, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, AA, 38, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 40, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, D6, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 32, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 82, 3B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 74, 43, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6C, 3A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, DE, 42, F2, FF, FF, 07] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 44, 3E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 2 bytes [B8, 58] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 4 000007fefd3246c4 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 2 bytes [B8, EE] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 4 000007fefd3246e4 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 84, 29, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, CC, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, F4, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 78, 47, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 8A, 43, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 62, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 5E, 42, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, A0, 44, F2, FF, FF, 07] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, C8, 41, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 70, 3E, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, DA, 3D, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 92, 4B, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 80, 4E, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, D0, 49, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\DIAS\CnxDIAS.exe[2192] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 88, 2E, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 60, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 5C, 2D, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 9E, 2F, F2, FF, FF, 07] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 6E, 29, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\CxAudMsg64.exe[2260] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 38, 34, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 88, 2E, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 60, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 5C, 2D, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 9E, 2F, F2, FF, FF, 07] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 6E, 29, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\system32\DbxSvc.exe[2308] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef211e4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef21206 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef21228 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef21316 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef2126c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef212b0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef2139e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef2128e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef2124a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef213c0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef212d2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbguard.exe[2432] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef212f4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2115c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20ed6 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20eb4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef211a0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f80 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210f6 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a52 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef2113a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20fa2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e92 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef210b2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210d4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20f1a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fc4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef21090 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ef8 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2117e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f3c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e70 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211e4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2106e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e4e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef21008 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f5e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef21118 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fe6 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef2102a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2104c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211c2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b40 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef20b62 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20b84 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a96 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b1e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20afc .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d60 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20d1c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20dc6 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e2c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20bc8 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d3e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20e0a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20da4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20de8 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20ba6 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20cb6 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cfa .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c2e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c50 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d82 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c72 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c94 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20bea .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20c0c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cd8 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef21206 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef2137c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef2135a .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef2139e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef212b0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef212f4 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef213e2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef212d2 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef2128e .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef21404 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef213c0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef21316 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef21338 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000076c1c7c3 5 bytes JMP 000000007ef214d0 .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000076c2843a 5 bytes JMP 000000007ef2148c .text C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe[2468] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000076c74844 5 bytes JMP 000000007ef214ae .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 6C, 3A, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 02, 3B, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 98, 3B, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F4, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CC, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C8, 41, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 0A, 44, F2, FF, FF, 07] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, DA, 3D, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2628] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 58, 28, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 74, 43, F2, FF, FF, 07] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[2680] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 08, 2F, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 30, 2C, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, B4, 30, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 80, 26, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, C6, 2C, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 72, 2E, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, DC, 2D, F2, FF, FF, 07] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 16, 27, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, D8, 29, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 42, 29, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 4A, 31, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 20, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, FC, 4A, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\ws2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc5256e0 12 bytes [48, B8, 42, 50, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc53010c 12 bytes [48, B8, AC, 4F, F2, FF, FF, ...] .text C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe[2716] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc54daa0 12 bytes [48, B8, 16, 4F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 58, 28, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 74, 43, F2, FF, FF, 07] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[3016] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!UnhandledExceptionFilter 0000000076917717 5 bytes JMP 00000000010d07d0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a52 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b40 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20b1e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2117e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20ef8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20ed6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef211c2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20fa2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef21118 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a74 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef2115c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20fc4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20eb4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef210d4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210f6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20f3c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fe6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef210b2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20f1a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef211a0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f5e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e92 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef21206 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef21090 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e70 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef2102a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f80 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef2113a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef21008 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef2104c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2106e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211e4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a96 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b62 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef20b84 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20ba6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d82 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20d3e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20de8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e4e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20bea .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d60 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20e2c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20dc6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20e0a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20bc8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20cd8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20d1c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c50 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c72 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20da4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c94 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20cb6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 1 byte JMP 000000007ef20c0c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA + 2 000000007500310a 3 bytes {JMP 0x9f1db04} .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20c2e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cfa .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef2128e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768d1465 2 bytes [8D, 76] .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768d14bb 2 bytes [8D, 76] .text ... * 2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef213c0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef2139e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef213e2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef212f4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef21338 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef21426 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef21316 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef212d2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef21448 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef21404 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef2135a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3044] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef2137c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007724f908 5 bytes JMP 000000007ef20a30 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a52 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2115c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20ed6 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20eb4 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef211a0 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f80 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210f6 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a74 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef2113a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20fa2 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e92 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef210b2 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210d4 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20f1a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fc4 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef21090 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ef8 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2117e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f3c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e70 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211e4 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2106e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e4e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef21008 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f5e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef21118 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fe6 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef2102a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2104c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211c2 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a96 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b40 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef20b62 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20b84 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20ab8 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b1e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20afc .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d60 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20d1c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20dc6 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e2c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20bc8 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d3e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20e0a .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20da4 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20de8 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20ba6 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20cb6 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ada .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cfa .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c2e .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c50 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d82 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c72 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c94 .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20bea .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20c0c .text C:\Windows\SysWOW64\SAsrv.exe[3068] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208ba .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 2 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 3 000000007725077f 2 bytes [CD, 07] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef213c0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef2139e .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef213e2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef212f4 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef21426 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef21316 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef212d2 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef21448 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef21404 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2876] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef2148c .text C:\Program Files\Bitdefender\Bitdefender 2017\updatesrv.exe[3180] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076fc9301 11 bytes [B8, F0, 12, 10, 01, 00, 00, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 08, 2F, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 30, 2C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, B4, 30, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 80, 26, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, C6, 2C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 72, 2E, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, DC, 2D, F2, FF, FF, 07] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 16, 27, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, D8, 29, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 42, 29, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 4A, 31, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 20, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, FC, 4A, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc5256e0 12 bytes [48, B8, 42, 50, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc53010c 12 bytes [48, B8, AC, 4F, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe[3404] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc54daa0 12 bytes [48, B8, 16, 4F, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 20, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\valWBFPolicyService.exe[3492] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef21316 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef212b0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef212f4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef2126c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef2128e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2124a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef2139e .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef21228 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef212d2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef211e4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef21206 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4076] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef213c0 .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 72, 2E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 9A, 2B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 1E, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, EA, 25, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 30, 2C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, DC, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 08, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, D8, 29, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 2 bytes [B8, D4] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 68 000007fefeb40764 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 46, 2D, F2, FF, FF, 07] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 16, 27, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 80, 26, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 42, 29, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, AC, 28, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, B4, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 8A, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 20, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7768] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, D4, 24, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, AA, 38, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 40, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, D6, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 32, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 82, 3B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 74, 43, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6C, 3A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, DE, 42, F2, FF, FF, 07] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 44, 3E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[7896] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 08, 2F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 30, 2C, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, B4, 30, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 80, 26, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, C6, 2C, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 72, 2E, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, DC, 2D, F2, FF, FF, 07] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 16, 27, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, D8, 29, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 42, 29, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 4A, 31, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 20, 45, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 28, 4C, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 16, 4F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, D0, 49, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, 80, 4E, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\ws2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc5256e0 12 bytes [48, B8, 6E, 51, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc53010c 12 bytes [48, B8, D8, 50, F2, FF, FF, ...] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[1860] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc54daa0 12 bytes [48, B8, 42, 50, F2, FF, FF, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[7976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 1 byte JMP 000000007ef20b40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes + 2 000000007678853e 3 bytes {JMP 0x8798604} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef212f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef212d2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef21316 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef21228 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef2126c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef2124a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef21206 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef2128e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1596] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef212b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef212d2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef21316 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef2128e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef212b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2126c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef213c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2124a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef211e4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef212f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef21206 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef21228 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef2139e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3652] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef21448 .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[6164] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 40, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, D6, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 6C, 3A, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 02, 3B, F2, FF, FF, 07, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 74, 43, F2, FF, FF, 07] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\system32\taskhost.exe[3332] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNEL32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 08, 2F, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 30, 2C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, B4, 30, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 80, 26, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, C6, 2C, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 72, 2E, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, DC, 2D, F2, FF, FF, 07] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 16, 27, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, D8, 29, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 42, 29, F2, FF, FF, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 4A, 31, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 20, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe[1096] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 6C, 14, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, CE, 0C, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, 1C, 19, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, DE, 1A, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, 02, 15, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, D6, 13, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 64, 0D, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 86, 18, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, FA, 0D, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, BC, 0F, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 52, 10, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, 26, 0F, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, C4, 16, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 14, 12, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 6A, 27, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 92, 24, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 16, 29, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, E2, 1E, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 28, 25, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, D4, 26, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 00, 28, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, D0, 22, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, A0, 1C, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, FC, 23, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 3E, 26, F2, FF, FF, 07] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 66, 23, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 0E, 20, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 78, 1F, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 3A, 22, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, A4, 21, F2, FF, FF, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 36, 1D, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 8C, 33, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 22, 34, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, B8, 34, F2, FF, FF, 07, ...] .text C:\Windows\Explorer.EXE[3100] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, E4, 35, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 20, 45, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4996] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5380] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 6C, 3A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 02, 3B, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 98, 3B, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F4, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CC, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C8, 41, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 0A, 44, F2, FF, FF, 07] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, DA, 3D, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, 28, 4C, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, 16, 4F, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, D0, 49, F2, FF, FF, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, 80, 4E, F2, FF, FF, 07, ...] .text C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE[5208] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 2 bytes [B8, 58] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 4 000007fefd3246e4 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, EE, 28, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F4, 42, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CC, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C8, 41, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 0A, 44, F2, FF, FF, 07] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, DA, 3D, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\System32\hkcmd.exe[5304] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 88, 2E, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 60, 31, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 5C, 2D, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 9E, 2F, F2, FF, FF, 07] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 6E, 29, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\System32\igfxpers.exe[5620] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 2 bytes [B8, 58] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 4 000007fefd3246e4 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, EE, 28, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F4, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CC, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C8, 41, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 0A, 44, F2, FF, FF, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, DA, 3D, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5496] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Program Files\Bitdefender\Bitdefender 2017\bdagent.exe[5656] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076fc9301 11 bytes [B8, F0, 12, 07, 02, 00, 00, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 88, 2E, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 60, 31, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 5C, 2D, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 9E, 2F, F2, FF, FF, 07] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 6E, 29, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\System32\StikyNot.exe[5080] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 1 byte JMP 000000007ef20b40 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes + 2 000000007678853e 3 bytes {JMP 0x8798604} .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef2128e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef213c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef2139e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef213e2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef212f4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef21426 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef21316 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef212d2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef21448 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef21404 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768d1465 2 bytes [8D, 76] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768d14bb 2 bytes [8D, 76] .text ... * 2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000076c1c7c3 5 bytes JMP 000000007ef214d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000076c2843a 5 bytes JMP 000000007ef2148c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[5704] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000076c74844 5 bytes JMP 000000007ef214ae .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211e4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1980] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef21206 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef211e4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef21206 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef21228 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToCacheFileW 0000000076c1c7c3 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToFileW 0000000076c2843a 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToFileA 0000000076c74844 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 1 byte JMP 000000007ef20b40 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes + 2 000000007678853e 3 bytes {JMP 0x8798604} .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4112] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef2128e .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 58, 28, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 74, 43, F2, FF, FF, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4308] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 1 byte JMP 000000007ef20b40 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes + 2 000000007678853e 3 bytes {JMP 0x8798604} .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20afc .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20ada .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef2128e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef213c0 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef2139e .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef213e2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef212f4 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef21426 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef21316 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef212d2 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef21448 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef21404 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4540] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef2137c .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 58, 28, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 74, 43, F2, FF, FF, 07] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4524] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\System32\WUDFHost.exe[4040] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007724f9c0 5 bytes JMP 000000007ef20700 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007724faa0 1 byte JMP 000000007ef208ba .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory + 2 000000007724faa2 3 bytes {JMP 0x7cd0e1a} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007724fb08 5 bytes JMP 000000007ef20656 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 000000007724fb88 5 bytes JMP 000000007ef209ca .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007724fc00 5 bytes JMP 000000007ef203f2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007724fc30 5 bytes JMP 000000007ef20018 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007724fc60 5 bytes JMP 000000007ef2003a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007724fc90 5 bytes JMP 000000007ef20634 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007724fda8 5 bytes JMP 000000007ef20a0e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007724fdf4 5 bytes JMP 000000007ef203ae .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007724fe24 5 bytes JMP 000000007ef20436 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007724fe88 5 bytes JMP 000000007ef20876 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007724fea0 5 bytes JMP 000000007ef20810 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007724ff04 5 bytes JMP 000000007ef20414 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007724ffcc 5 bytes JMP 000000007ef2036a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007724ffe4 5 bytes JMP 000000007ef20326 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077250018 5 bytes JMP 000000007ef208dc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077250094 2 bytes JMP 000000007ef20128 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 0000000077250097 2 bytes [CD, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772501a4 2 bytes JMP 000000007ef201b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 3 00000000772501a7 2 bytes [CD, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007725077c 5 bytes JMP 000000007ef20898 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772507f4 5 bytes JMP 000000007ef20348 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077250884 5 bytes JMP 000000007ef20304 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077250dd4 5 bytes JMP 000000007ef20722 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000772510a0 5 bytes JMP 000000007ef209a8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772515e4 5 bytes JMP 000000007ef205f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077251900 5 bytes JMP 000000007ef203d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077251bc4 5 bytes JMP 000000007ef20744 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077251d34 5 bytes JMP 000000007ef2047a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077251d50 5 bytes JMP 000000007ef20458 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077251d6c 5 bytes JMP 000000007ef20a30 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772688a4 5 bytes JMP 000000007ef200c2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000772694d1 5 bytes JMP 000000007ef209ec .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077290cfb 5 bytes JMP 000000007ef2016c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000772d857f 5 bytes JMP 000000007ef20612 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000772de81b 5 bytes JMP 000000007ef2014a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 000000007ef200e4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 000000007ef202c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f49bf 5 bytes JMP 000000007ef20238 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bdb 5 bytes JMP 000000007ef2038c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076909ab4 5 bytes JMP 000000007ef207ee .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076909b15 5 bytes JMP 000000007ef207aa .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917347 5 bytes JMP 000000007ef2025a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076918954 5 bytes JMP 000000007ef206de .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007691ccb1 5 bytes JMP 000000007ef20788 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007691ccd1 5 bytes JMP 000000007ef207cc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972c91 5 bytes JMP 000000007ef2029e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076996f6b 5 bytes JMP 000000007ef20568 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076996f8e 5 bytes JMP 000000007ef2058a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997339 5 bytes JMP 000000007ef205ac .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769973b2 5 bytes JMP 000000007ef205ce .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074eb8f7d 5 bytes JMP 000000007ef200a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074ebc428 5 bytes JMP 000000007ef20546 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074ebec98 5 bytes JMP 000000007ef204e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074ebf1f8 5 bytes JMP 000000007ef201d2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074ebfa7b 5 bytes JMP 000000007ef20106 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074ebfba9 5 bytes JMP 000000007ef20766 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074ec134a 5 bytes JMP 000000007ef20524 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074ec1371 5 bytes JMP 000000007ef20502 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074ec1d1b 5 bytes JMP 000000007ef2007e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074ec1e07 5 bytes JMP 000000007ef20216 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec2aa4 5 bytes JMP 000000007ef2069a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074ec2ccc 5 bytes JMP 000000007ef20678 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec2d0a 5 bytes JMP 000000007ef206bc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074ec2e6d 5 bytes JMP 000000007ef2005c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074ec37f6 5 bytes JMP 000000007ef2049c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074ec3b63 5 bytes JMP 000000007ef2018e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074ec3e6b 5 bytes JMP 000000007ef208fe .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074ec4489 5 bytes JMP 000000007ef201f4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074ec45fb 5 bytes JMP 000000007ef204be .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074ec4624 5 bytes JMP 000000007ef202e2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074ec9c5c 5 bytes JMP 000000007ef20832 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074ec9fa9 5 bytes JMP 000000007ef20854 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074eca207 5 bytes JMP 000000007ef20942 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074eca416 5 bytes JMP 000000007ef20964 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074eca4f0 5 bytes JMP 000000007ef20920 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074ecc72c 5 bytes JMP 000000007ef2027c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074ece295 5 bytes JMP 000000007ef20986 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 000000007ef20a52 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 000000007ef20b40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 000000007ef20b1e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512 0000000076766343 5 bytes JMP 000000007ef20a74 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007678851d 5 bytes JMP 000000007ef211c2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 000000007678853c 5 bytes JMP 000000007ef211e4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000076793dc6 5 bytes JMP 000000007ef21206 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076ab6ffe 5 bytes JMP 000000007ef21118 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076ab78e2 5 bytes JMP 000000007ef20e92 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076ab7bd3 5 bytes JMP 000000007ef20e70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076ab8332 5 bytes JMP 000000007ef2115c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ab8a29 5 bytes JMP 000000007ef20f3c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076ab98fd 5 bytes JMP 000000007ef210b2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000076abb6ed 5 bytes JMP 000000007ef20a96 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!GetWindowLongA 0000000076abd156 5 bytes JMP 000000007ef210f6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076abd22e 5 bytes JMP 000000007ef20f5e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076abee09 5 bytes JMP 000000007ef20e4e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076abffe6 5 bytes JMP 000000007ef2106e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076ac00d9 5 bytes JMP 000000007ef21090 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076ac05ba 5 bytes JMP 000000007ef20ed6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ac0dfb 5 bytes JMP 000000007ef20f80 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000076ac20ec 5 bytes JMP 000000007ef2104c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076ac5f74 5 bytes JMP 000000007ef20eb4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076ac6110 5 bytes JMP 000000007ef2113a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076ac6285 5 bytes JMP 000000007ef20ef8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ac7603 5 bytes JMP 000000007ef20e2c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076ac7668 5 bytes JMP 000000007ef211a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076ac7aee 5 bytes JMP 000000007ef2102a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ac835c 5 bytes JMP 000000007ef20e0a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000076adce54 5 bytes JMP 000000007ef20fc4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076adf52b 5 bytes JMP 000000007ef20f1a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076adf588 5 bytes JMP 000000007ef210d4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000076ae10a0 5 bytes JMP 000000007ef20fa2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b0fcd6 5 bytes JMP 000000007ef20fe6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b0fcfa 5 bytes JMP 000000007ef21008 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b16d5d 5 bytes JMP 000000007ef2117e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000074fc8ee9 5 bytes JMP 000000007ef20d1c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000074fc91dd 5 bytes JMP 000000007ef20cd8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000074fc91ea 5 bytes JMP 000000007ef20d82 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000074fcc532 5 bytes JMP 000000007ef20de8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000074fcca4c 5 bytes JMP 000000007ef20b84 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000074fcdf14 5 bytes JMP 000000007ef20cfa .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000074fcdf36 5 bytes JMP 000000007ef20dc6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000074fcdf4e 5 bytes JMP 000000007ef20d60 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000074fcdf7e 5 bytes JMP 000000007ef20da4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000074fd2bf0 5 bytes JMP 000000007ef20b62 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000074fd369c 5 bytes JMP 000000007ef20c72 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000074fd49e5 5 bytes JMP 000000007ef20ab8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000074fe712c 5 bytes JMP 000000007ef20cb6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000074fe7144 5 bytes JMP 000000007ef20bea .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000074fe715c 5 bytes JMP 000000007ef20c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000074fe779b 5 bytes JMP 000000007ef20d3e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000750030e8 5 bytes JMP 000000007ef20c2e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000750030f8 5 bytes JMP 000000007ef20c50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075003108 5 bytes JMP 000000007ef20ba6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075003118 5 bytes JMP 000000007ef20bc8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075003158 5 bytes JMP 000000007ef20c94 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075370171 5 bytes JMP 000000007ef21228 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076ba3918 5 bytes JMP 000000007ef21426 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076ba3cd3 5 bytes JMP 000000007ef21404 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!socket 0000000076ba3eb8 5 bytes JMP 000000007ef21448 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076ba4406 5 bytes JMP 000000007ef2135a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076ba4889 5 bytes JMP 000000007ef2139e .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!recv 0000000076ba6b0e 5 bytes JMP 000000007ef2148c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!connect 0000000076ba6bdd 5 bytes JMP 000000007ef2137c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!send 0000000076ba6f01 5 bytes JMP 000000007ef21338 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076ba7089 5 bytes JMP 000000007ef214ae .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076bacc3f 5 bytes JMP 000000007ef2146a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076bad1ea 5 bytes JMP 000000007ef213c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076bb7673 5 bytes JMP 000000007ef213e2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000076c1c7c3 5 bytes JMP 000000007ef215be .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000076c2843a 5 bytes JMP 000000007ef2157a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6620] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000076c74844 5 bytes JMP 000000007ef2159c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, C4, 16, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, CE, 0C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, 86, 18, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, B2, 19, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, F0, 17, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 64, 0D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, FA, 0D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 1C, 19, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, BC, 0F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 52, 10, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, 26, 0F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 14, 12, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 12, 25, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 3A, 22, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, BE, 26, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 8A, 1C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, D0, 22, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 7C, 24, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, A8, 25, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 78, 20, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, A4, 21, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, E6, 23, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 0E, 21, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, B6, 1D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 20, 1D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, E2, 1F, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 4C, 1F, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 34, 31, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, CA, 31, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 60, 32, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 0000000076e3b500 9 bytes [48, B8, C6, 2D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowLongPtrA + 10 0000000076e3b50a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowW + 1 0000000076e3d265 7 bytes [B8, 42, 2A, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowW + 9 0000000076e3d26d 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SendNotifyMessageW + 1 0000000076e3dc41 7 bytes [B8, 9E, 30, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SendNotifyMessageW + 9 0000000076e3dc49 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1 0000000076e3f875 7 bytes [B8, EA, 27, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9 0000000076e3f87d 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076e433b0 5 bytes [48, B8, 72, 2F, F2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowLongW + 7 0000000076e433b7 5 bytes [07, 00, 00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!GetWindowLongPtrA 0000000076e437c0 12 bytes [48, B8, 6E, 2B, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076e44d4c 12 bytes [48, B8, 80, 28, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!GetWindowLongA 0000000076e45408 12 bytes [48, B8, 9A, 2C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 0000000076e476c0 5 bytes [48, B8, 5C, 2E, F2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 7 0000000076e476c7 5 bytes [07, 00, 00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!GetWindowLongW 0000000076e47f20 12 bytes [48, B8, 30, 2D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!GetWindowLongPtrW 0000000076e496c0 12 bytes [48, B8, 04, 2C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1 0000000076e4a2c9 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SendNotifyMessageA + 1 0000000076e528e5 8 bytes [B8, 08, 30, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SendNotifyMessageA + 10 0000000076e528ee 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowA + 1 0000000076e58271 7 bytes [B8, 16, 29, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowA + 9 0000000076e58279 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1 0000000076e58c21 8 bytes [B8, 54, 27, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10 0000000076e58c2a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowExW + 1 0000000076e58d21 7 bytes [B8, D8, 2A, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowExW + 9 0000000076e58d29 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowExA + 1 0000000076eadae1 7 bytes [B8, AC, 29, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7200] C:\Windows\system32\USER32.dll!FindWindowExA + 9 0000000076eadae9 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, C4, 16, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, CE, 0C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, 86, 18, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, B2, 19, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, F0, 17, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 64, 0D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, FA, 0D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 1C, 19, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, BC, 0F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 52, 10, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, 26, 0F, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, 14, 12, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, 12, 25, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, 3A, 22, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, BE, 26, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 8A, 1C, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, D0, 22, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 7C, 24, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, A8, 25, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 78, 20, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, A4, 21, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, E6, 23, F2, FF, FF, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 0E, 21, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, B6, 1D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, 20, 1D, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, E2, 1F, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 4C, 1F, F2, FF, FF, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 34, 31, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, CA, 31, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2016] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, 60, 32, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 88, 2E, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 60, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 5C, 2D, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 9E, 2F, F2, FF, FF, 07] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 6E, 29, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefdc57d04 12 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefdc6663d 2 bytes [B8, A4] .text C:\Windows\system32\notepad.exe[1616] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 4 000007fefdc66640 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077079281 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770892a1 11 bytes [B8, 64, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000770a1400 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770a1490 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770a14d0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000770a1520 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770a15d0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770a1680 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770a16b0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770a16d0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770a1710 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770a1720 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770a1760 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770a17e0 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770a17f0 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000770a1810 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770a1910 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770a1ce0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770a1d30 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770a1d90 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770a2100 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000770a2640 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770a2840 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770a2a00 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770a2ae0 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770a2af0 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770a2b00 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000771131f1 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076f320f1 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076f321e0 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076f33061 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076f3306a 2 bytes [50, C3] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4e750 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076f51e31 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f85011 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f85031 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f9a560 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f9a670 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076fbf6c1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076fbf8c1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076fbf8f1 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076fbf8fa 2 bytes [50, C3] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd1e1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1e30f1 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd1e4d61 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd1e4ec0 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd1e5ae1 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd1e8b80 12 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd1e9571 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1e9940 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd1e9fb1 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd1ebbb1 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd1eea51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd1f29c1 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefd1f5001 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefd1f56d1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd1faa90 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd214320 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd220be1 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd222841 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd22284a 2 bytes [50, C3] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd222881 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefd30b03d 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefd3246c1 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefd3246e1 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefd338ed9 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefeb28141 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefeb28181 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefeb2af6d 11 bytes [B8, 4C, 46, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeb2c2c0 12 bytes [48, B8, 18, 3C, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefeb2d98d 11 bytes [B8, 5E, 42, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefeb2dad5 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefeb2db21 11 bytes [B8, 36, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb37e04 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefeb40761 11 bytes [B8, 02, 3B, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb43b44 12 bytes [48, B8, 32, 41, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeb5b651 7 bytes [B8, 74, 43, F2, FF, FF, 07] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeb5b65a 2 bytes [50, C3] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb5b704 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007fefeb5b850 12 bytes [48, B8, 44, 3D, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA 000007fefeb5b860 12 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb5b870 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb5b8dc 12 bytes [48, B8, DA, 3E, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1e13b1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1e18e0 12 bytes [48, B8, FC, 4A, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1e1bd1 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1e2201 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1e23c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!connect 000007feff1e45c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1e8001 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1e8df0 8 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1e8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1ec090 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1ede91 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1edf41 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\AUDIODG.EXE[7176] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff20e0f1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770a13e0 7 bytes [48, B8, 60, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000770a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000770a1550 7 bytes [48, B8, E0, F9, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000770a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770a1570 7 bytes [48, B8, D0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770a1580 7 bytes [48, B8, C0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000770a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770a1590 7 bytes [48, B8, 40, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770a15b0 7 bytes [48, B8, B0, F8, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000770a1600 7 bytes [48, B8, 50, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000770a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000770a1610 7 bytes [48, B8, 20, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000770a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770a1640 7 bytes [48, B8, 40, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000770a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000770a16e0 7 bytes [48, B8, 80, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000770a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770a1860 7 bytes [48, B8, C0, FA, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000770a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000770a22d0 7 bytes [48, B8, 00, FE, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000770a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770a2320 7 bytes [48, B8, A0, FD, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000770a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000770a2470 7 bytes [48, B8, A0, FB, D5, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000770a2478 6 bytes {ADD [RAX], AL; JMP RAX} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3580] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4968] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2324] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8048] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2812] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6700] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7420] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5156] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3924] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed3fa6490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed3fa5ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed3fa6470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed3fa66e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7036] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed30e2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 296378 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{A71754E2-12DE-4D44-B9C3-58A91B9A8E30} v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Windows\System32\spoolsv.exe|Name=HP Networked Printer Installer| Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{97F00230-1C96-4C40-9953-400C00CE3845} v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Windows\System32\spoolsv.exe|Name=HP Networked Printer Installer| Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@CriticalSectionTimeout 2592000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@GlobalFlag 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitFreeBlockThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitTotalFreeThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentCommit 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentReserve 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProcessorControl 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ResourceTimeoutCount 648000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@BootExecute autocheck autochk *? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ExcludeFromKnownDlls Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ObjectDirectories \Windows?\RPC Control? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProtectionMode 1 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@NumberOfInitialSessions 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@SetupExecute ---- EOF - GMER 2.2 ----