GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-11 09:46:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD10EADS-00L5B1 rev.01.01A01 931,51GB Running: cb8cczdh.exe; Driver: C:\Users\Yommie\AppData\Local\Temp\fwrirfob.sys ---- Kernel code sections - GMER 2.1 ---- ? C:\Windows\system32\DRIVERS\Jula.sys [0] entry point in "init" section fffff88006c22010 ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, F9, 55, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, F9, 5C, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, 39, 5B, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, 70, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, F9, 71, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, 79, 75, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, 6E, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, B9, 5E, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 79, 60, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, B9, 73, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, B9, 65, 6A, 74] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, F9, 63, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 79, 4B, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, 39, 46, 6A, 74, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 79, 44, 6A, 74, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, 39, 4D, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, F9, 47, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, B9, 49, 6A, 74, 00, 00, ...] .text C:\Windows\Explorer.EXE[2172] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2456] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe3f4ea1 11 bytes [B8, 79, FA, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe3f55c8 12 bytes [48, B8, B9, 6C, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe40b85c 12 bytes [48, B8, F9, 6A, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe40b9d0 12 bytes [48, B8, 79, 60, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe40ba3c 12 bytes [48, B8, B9, 5E, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Bonjour\mDNSResponder.exe[2552] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, F9, E8, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, B9, EA, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\System32\JulaPAN.exe[2760] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2772] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe3f4ea1 11 bytes [B8, 39, F5, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe3f55c8 12 bytes [48, B8, B9, 6C, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe40b85c 12 bytes [48, B8, F9, 6A, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe40b9d0 12 bytes [48, B8, 79, 60, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe40ba3c 12 bytes [48, B8, B9, 5E, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2804] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Windows\WindowsMobile\wmdc.exe[2832] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000772cf8f0 5 bytes JMP 0000000174326271 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 00000001743268a1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326811 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 0000000174326931 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 0000000174326781 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 00000001743269c1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 00000001743265d1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326a51 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 00000001743266f1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 0000000174326661 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326ae1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326b71 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326301 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 00000001743264b1 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 0000000174326541 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326421 .text C:\Users\Yommie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2944] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000772c000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007734f8ea 5 bytes JMP 00000001772fd5c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765f1465 2 bytes [5F, 76] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765f14bb 2 bytes [5F, 76] .text ... * 2 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326b71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 00000000768d71d7 5 bytes JMP 0000000174323f01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 00000000768dc316 5 bytes JMP 0000000174322131 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 000000007694e4e4 5 bytes JMP 00000001743229a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765f1465 2 bytes [5F, 76] .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe[3028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765f14bb 2 bytes [5F, 76] .text ... * 2 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326b71 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 00000000768d71d7 5 bytes JMP 0000000174323f01 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 00000000768dc316 5 bytes JMP 0000000174322131 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 000000007694e4e4 5 bytes JMP 00000001743229a1 .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765f1465 2 bytes [5F, 76] .text C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765f14bb 2 bytes [5F, 76] .text ... * 2 .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Program Files\Nektar\P4\apps\nklauncher.exe[2064] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000772cf8f0 5 bytes JMP 0000000174326271 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 00000001743268a1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326811 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 0000000174326931 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 0000000174326781 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 00000001743269c1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 00000001743265d1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326a51 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 00000001743266f1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 0000000174326661 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326ae1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326b71 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326301 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 00000001743264b1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 0000000174326541 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326421 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 00000000768d71d7 5 bytes JMP 0000000174323f01 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 00000000768dc316 5 bytes JMP 0000000174322131 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 000000007694e4e4 5 bytes JMP 00000001743229a1 .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 00000000765f1465 2 bytes [5F, 76] .text C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe[324] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000765f14bb 2 bytes [5F, 76] .text ... * 2 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\user32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765f1465 2 bytes [5F, 76] .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765f14bb 2 bytes [5F, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2936] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000076a33495 5 bytes JMP 0000000102713b70 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2384] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe[1028] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[3076] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe3f4ea1 11 bytes [B8, 39, F5, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe3f55c8 12 bytes [48, B8, B9, 6C, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe40b85c 12 bytes [48, B8, F9, 6A, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe40b9d0 12 bytes [48, B8, 79, 60, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe40ba3c 12 bytes [48, B8, B9, 5E, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[3220] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072931a22 2 bytes [93, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072931ad0 2 bytes [93, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072931b08 2 bytes [93, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072931bba 2 bytes [93, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072931bda 2 bytes [93, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326a51 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326ae1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326b71 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Windows\SysWOW64\PnkBstrA.exe[3240] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 00000001743269c1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326a51 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326ae1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files\Focusrite\VRM Box\VRMService.exe[3452] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe3f4ea1 11 bytes [B8, B9, F8, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe3f55c8 12 bytes [48, B8, B9, 6C, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe40b85c 12 bytes [48, B8, F9, 6A, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe40b9d0 12 bytes [48, B8, 79, 60, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe40ba3c 12 bytes [48, B8, B9, 5E, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2820] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, F9, E8, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, B9, EA, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe[4644] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, F9, E8, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, B9, EA, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, F9, DA, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 79, DE, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe3f4ea1 11 bytes [B8, F9, F6, 6A, 74, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe3f55c8 12 bytes [48, B8, B9, 6C, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe40b85c 12 bytes [48, B8, F9, 6A, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe40b9d0 12 bytes [48, B8, 79, 60, 6A, 74, 00, ...] .text C:\Windows\System32\svchost.exe[4336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe40ba3c 12 bytes [48, B8, B9, 5E, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\DllHost.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077121310 6 bytes [48, B8, F9, DA, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 0000000077121318 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, B9, F8, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, F9, E8, 6A, 74] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 39, E7, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefeb713b1 11 bytes [B8, F9, BE, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!closesocket 000007fefeb718e0 12 bytes [48, B8, 39, BD, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefeb71bd1 11 bytes [B8, 79, BB, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefeb72201 11 bytes [B8, B9, E3, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefeb723c0 12 bytes [48, B8, 79, A6, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!connect 000007fefeb745c0 12 bytes [48, B8, 79, 67, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!send + 1 000007fefeb78001 11 bytes [B8, B9, B9, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefeb78df0 7 bytes [48, B8, 39, A8, 6A, 74, 00] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefeb78df9 3 bytes [00, 50, C3] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefeb7de91 11 bytes [B8, B9, DC, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefeb7df41 11 bytes [B8, F9, E1, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefeb9e0f1 11 bytes [B8, 39, E0, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\advapi32.DLL!IsTextUnicode + 49 000007fefe3f4ea1 11 bytes [B8, F9, FD, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\advapi32.DLL!CreateServiceW 000007fefe3f55c8 12 bytes [48, B8, B9, 6C, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\advapi32.DLL!CreateServiceA 000007fefe40b85c 12 bytes [48, B8, F9, 6A, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\advapi32.DLL!ChangeServiceConfigW 000007fefe40b9d0 12 bytes [48, B8, 79, 60, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\advapi32.DLL!ChangeServiceConfigA 000007fefe40ba3c 12 bytes [48, B8, B9, 5E, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefef3a0c4 12 bytes [48, B8, B9, 65, 6A, 74, 00, ...] .text C:\_antysyf\FRST64.exe[4068] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefef3efd1 11 bytes [B8, F9, 63, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[4884] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[5056] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\system32\notepad.exe[3208] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000772cf8f0 5 bytes JMP 0000000174326271 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 00000001743268a1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326811 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 0000000174326931 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 0000000174326781 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 00000001743269c1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 00000001743265d1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326a51 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000074e512a5 5 bytes JMP 00000001743266f1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000074e53baa 5 bytes JMP 0000000174326661 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\user32.DLL!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326ae1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326b71 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000765f1465 2 bytes [5F, 76] .text C:\_antysyf\OTL.exe[2992] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000765f14bb 2 bytes [5F, 76] .text ... * 2 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\mscoree.dll!_CorExeMain 000000006a824ddb 5 bytes JMP 0000000074321711 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToCacheFileW 00000000768d71d7 5 bytes JMP 0000000174323f01 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToFileW 00000000768dc316 5 bytes JMP 0000000174322131 .text C:\_antysyf\OTL.exe[2992] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToFileA 000000007694e4e4 5 bytes JMP 00000001743229a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 0000000174326811 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326781 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 00000001743268a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 00000001743266f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 0000000174326931 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 0000000174326541 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 00000001743269c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326a51 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 0000000174326661 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 00000001743265d1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326ae1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000753a0171 5 bytes JMP 0000000174324a41 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!closesocket 0000000076093918 5 bytes JMP 0000000174325a01 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!WSASocketW 0000000076093cd3 5 bytes JMP 0000000174325971 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!socket 0000000076093eb8 5 bytes JMP 0000000174326271 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!WSASend 0000000076094406 5 bytes JMP 00000001743220a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!GetAddrInfoW 0000000076094889 5 bytes JMP 0000000174325341 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!recv 0000000076096b0e 5 bytes JMP 0000000174326421 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!connect 0000000076096bdd 5 bytes JMP 0000000174323f91 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!send 0000000076096f01 5 bytes JMP 0000000174322011 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!WSARecv 0000000076097089 5 bytes JMP 00000001743264b1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!WSAConnect 000000007609cc3f 5 bytes JMP 0000000174326391 .text C:\Program Files (x86)\Notepad++\notepad++.exe[3888] C:\Windows\syswow64\WS2_32.DLL!gethostbyname 00000000760a7673 5 bytes JMP 00000001743253d1 .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\notepad.exe[3984] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[3984] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000771092d1 5 bytes [B8, 39, 69, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000771092d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 6 bytes [48, B8, B9, F1, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes [48, B8, B9, D5, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000771213a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 6 bytes [48, B8, 79, C2, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 6 bytes [48, B8, F9, 32, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 6 bytes [48, B8, 39, 1C, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 6 bytes [48, B8, F9, 1D, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 6 bytes [48, B8, B9, C0, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 6 bytes [48, B8, 39, EE, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 6 bytes [48, B8, 79, 2F, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 6 bytes [48, B8, 79, 36, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 6 bytes [48, B8, B9, 34, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 6 bytes [48, B8, 79, F3, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 6 bytes [48, B8, 39, 2A, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 6 bytes [48, B8, B9, 26, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 6 bytes [48, B8, F9, EF, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000771218b0 6 bytes [48, B8, F9, F6, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000771218b8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 6 bytes [48, B8, 79, EC, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 6 bytes [48, B8, 79, 28, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 6 bytes [48, B8, F9, 24, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 6 bytes [48, B8, 79, D7, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 79, 83, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, 39, 31, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 39, D9, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, 79, 3D, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, B9, 3B, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 39, F5, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 39, E7, 6A, 74] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077193201 11 bytes [B8, 39, 85, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076eb1b21 11 bytes [B8, F9, D3, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076eb1c10 12 bytes [48, B8, F9, 39, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076ecdb80 12 bytes [48, B8, B9, 2D, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ed0931 11 bytes [B8, 79, E5, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076f052f1 11 bytes [B8, B9, 7A, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076f05311 11 bytes [B8, 39, 77, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076f1a5e0 12 bytes [48, B8, B9, 81, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076f1a6f0 12 bytes [48, B8, 39, 7E, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf81861 11 bytes [B8, 79, 52, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf82db1 11 bytes [B8, B9, C7, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf83461 11 bytes [B8, 79, C9, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf88ef0 12 bytes [48, B8, F9, C5, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf894c0 12 bytes [48, B8, B9, 50, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf8bfd1 11 bytes [B8, 39, C4, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf92af1 11 bytes [B8, F9, 4E, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcfb4350 12 bytes [48, B8, B9, 42, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcfc2871 8 bytes [B8, 39, 23, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcfc287a 2 bytes [50, C3] .text C:\Windows\notepad.exe[5000] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcfc28b1 11 bytes [B8, F9, 40, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2c642d 11 bytes [B8, 39, 5B, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2c6484 12 bytes [48, B8, F9, 55, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2c6519 11 bytes [B8, 39, 62, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2c6c34 12 bytes [48, B8, 39, 54, 6A, 74, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2c7ab5 11 bytes [B8, F9, 5C, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2c8b01 11 bytes [B8, B9, 57, 6A, 74, 00, 00, ...] .text C:\Windows\notepad.exe[5000] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2c8c39 11 bytes [B8, 79, 59, 6A, 74, 00, 00, ...] .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000772cf8f0 5 bytes JMP 0000000174326271 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000772cf928 5 bytes JMP 00000001743268a1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 5 bytes JMP 00000001743260c1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 5 bytes JMP 0000000174325b21 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000772cfc20 5 bytes JMP 0000000174323061 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc50 5 bytes JMP 00000001743215f1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000772cfc80 5 bytes JMP 0000000174321681 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 5 bytes JMP 0000000174325a91 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 5 bytes JMP 0000000174326811 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe14 5 bytes JMP 0000000174322f41 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000772cfe44 5 bytes JMP 0000000174323181 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000772cff24 5 bytes JMP 00000001743230f1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 5 bytes JMP 0000000174326931 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000772cffec 5 bytes JMP 0000000174322d91 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 5 bytes JMP 0000000174322c71 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 5 bytes JMP 0000000174321e61 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772d01c4 5 bytes JMP 0000000174322251 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 5 bytes JMP 0000000174326781 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000772d0814 5 bytes JMP 0000000174322d01 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 5 bytes JMP 0000000174322be1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 5 bytes JMP 0000000174326151 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000772d1604 5 bytes JMP 0000000174324801 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000772d1920 5 bytes JMP 0000000174322fd1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 5 bytes JMP 00000001743261e1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000772d1d54 5 bytes JMP 00000001743232a1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000772d1d70 5 bytes JMP 0000000174323211 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 5 bytes JMP 00000001743269c1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000772d1ee8 5 bytes JMP 00000001743265d1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000772e88c4 5 bytes JMP 0000000174321a71 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077310d3b 5 bytes JMP 0000000174321f81 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007735860f 5 bytes JMP 0000000174324891 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007735e8ab 5 bytes JMP 0000000174321ef1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076a30e00 5 bytes JMP 0000000174321d41 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a31072 5 bytes JMP 0000000174322911 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076a3499f 5 bytes JMP 0000000174322521 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a43bbb 5 bytes JMP 0000000174322eb1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076a57327 5 bytes JMP 0000000174322641 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000076a588da 5 bytes JMP 0000000174326031 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076ab2ff1 5 bytes JMP 00000001743227f1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076ad748b 5 bytes JMP 0000000174324411 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076ad74ae 5 bytes JMP 0000000174324531 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076ad7859 5 bytes JMP 0000000174324651 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076ad78d2 5 bytes JMP 0000000174324771 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076598f7d 5 bytes JMP 00000001743219e1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007659c428 5 bytes JMP 0000000174323961 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007659ec98 5 bytes JMP 0000000174323451 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007659f1f8 5 bytes JMP 00000001743222e1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007659fa7b 5 bytes JMP 0000000174321dd1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000765a134a 5 bytes JMP 00000001743238d1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000765a1371 5 bytes JMP 0000000174323841 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000765a1d1b 5 bytes JMP 0000000174321951 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000765a1e07 5 bytes JMP 0000000174322401 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765a2aa4 5 bytes JMP 0000000174325c41 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000765a2ccc 5 bytes JMP 0000000174325bb1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000765a2d0a 5 bytes JMP 0000000174325cd1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000765a2e6d 5 bytes JMP 00000001743218c1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000765a3b63 5 bytes JMP 00000001743221c1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000765a4489 5 bytes JMP 0000000174322371 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000765a45fb 5 bytes JMP 00000001743233c1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000765a4624 5 bytes JMP 0000000174322b51 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000765ac72c 5 bytes JMP 00000001743226d1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000760fc9ec 5 bytes JMP 0000000174323a81 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076102b70 5 bytes JMP 00000001743239f1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007610361c 5 bytes JMP 0000000174323e71 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076104965 5 bytes JMP 0000000174326a51 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000761170c4 5 bytes JMP 00000001743240b1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000761170dc 5 bytes JMP 0000000174323c31 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000761170f4 5 bytes JMP 0000000174323cc1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000761331f4 5 bytes JMP 0000000174323d51 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076133204 5 bytes JMP 0000000174323de1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076133214 5 bytes JMP 0000000174323b11 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076133224 5 bytes JMP 0000000174323ba1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076133264 5 bytes JMP 0000000174324021 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000764ea472 5 bytes JMP 0000000174326ae1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000764f27ce 5 bytes JMP 0000000174321b91 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000764fe6cf 5 bytes JMP 0000000174321b01 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074e478e2 5 bytes JMP 00000001743241d1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074e47bd3 5 bytes JMP 0000000174324141 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074e48a29 5 bytes JMP 0000000174325461 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074e498fd 5 bytes JMP 0000000174325e81 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074e4b6ed 5 bytes JMP 0000000174326b71 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074e4d22e 5 bytes JMP 00000001743254f1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e4ee09 5 bytes JMP 0000000174323331 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074e4ffe6 5 bytes JMP 0000000174325d61 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074e500d9 5 bytes JMP 0000000174325df1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074e505ba 5 bytes JMP 00000001743242f1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074e50dfb 5 bytes JMP 0000000174325581 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074e512a5 5 bytes JMP 00000001743266f1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074e520ec 5 bytes JMP 00000001743258e1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074e53baa 5 bytes JMP 0000000174326661 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074e55f74 5 bytes JMP 0000000174324261 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074e56285 5 bytes JMP 0000000174324921 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e57603 5 bytes JMP 0000000174322ac1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074e57aee 5 bytes JMP 0000000174325851 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e5835c 5 bytes JMP 0000000174322a31 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074e6ce54 5 bytes JMP 00000001743256a1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e6f52b 5 bytes JMP 00000001743249b1 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074e6f588 5 bytes JMP 0000000174325f11 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074e710a0 5 bytes JMP 0000000174325611 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074e9fcd6 5 bytes JMP 0000000174325731 .text C:\_antysyf\cb8cczdh.exe[4872] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074e9fcfa 5 bytes JMP 00000001743257c1 ---- Processes - GMER 2.1 ---- Library C:\Users\Yommie\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe [324](2014-01-03 03:42:50) 0000000003850000 Library c:\users\yommie\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphyfqbm.dll (*** suspicious ***) @ C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe [324](2014-05-10 22:35:21) 0000000004170000 Library C:\Users\Yommie\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe [324](2013-10-18 23:55:02) 000000006c410000 Library C:\Users\Yommie\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Yommie\AppData\Roaming\Dropbox\bin\Dropbox.exe [324] (ICU Data DLL/The ICU Project)(2013-10-18 23:55:00) 000000006ba80000 Library C:\Users\Yommie\AppData\Local\Temp\sfareca00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [2020](2014-05 0000000010000000 Library C:\Users\Yommie\AppData\Local\Temp\sfamcc00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [2020](2012-07-1 0000000003bd0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0x34 0xDA 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0x34 0xDA 0x32 ... ---- Files - GMER 2.1 ---- File C:\Users\Yommie\AppData\Local\Opera\Opera\cache\sesn\opr2OS1N.tmp 211 bytes File C:\Users\Yommie\AppData\Local\Opera\Opera\cache\sesn\opr2OS1V.tmp 77 bytes ---- EOF - GMER 2.1 ----