GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-01 10:29:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD7500AADS-00M2B0 rev.01.00A01 698,64GB Running: gmer.exe; Driver: C:\Users\dibox\AppData\Local\Temp\awrdikod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 5 bytes [48, B8, F0, 12, 65] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[840] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007710b861 11 bytes [B8, F0, 12, AD, 01, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff0313b1 11 bytes [B8, 79, A6, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!closesocket 000007feff0318e0 12 bytes [48, B8, B9, A4, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff031bd1 11 bytes [B8, F9, A2, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff032201 11 bytes [B8, 39, E0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff0323c0 12 bytes [48, B8, 39, 8C, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 79, 67, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!send + 1 000007feff038001 11 bytes [B8, 39, A1, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff038df0 7 bytes [48, B8, B9, 8F, 83, 75, 00] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff038df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff03c090 12 bytes [48, B8, F9, 8D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff03de91 11 bytes [B8, 39, D9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff03df41 11 bytes [B8, 79, DE, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff05e0f1 11 bytes [B8, B9, DC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1528] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc6b56e0 4 bytes [48, B8, F9, C5] .text C:\Windows\system32\svchost.exe[1528] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 + 5 000007fefc6b56e5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc6c010c 4 bytes [48, B8, 39, C4] .text C:\Windows\system32\svchost.exe[1528] c:\windows\system32\DNSAPI.dll!DnsQuery_W + 5 000007fefc6c0111 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1528] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc6ddaa0 4 bytes [48, B8, 79, C2] .text C:\Windows\system32\svchost.exe[1528] c:\windows\system32\DNSAPI.dll!DnsQuery_A + 5 000007fefc6ddaa5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, E5, 83, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, E5, 83, 75] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1636] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, E5, 83, 75] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefc6b56e0 4 bytes [48, B8, F9, C5] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 + 5 000007fefc6b56e5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefc6c010c 4 bytes [48, B8, 39, C4] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\System32\DNSAPI.dll!DnsQuery_W + 5 000007fefc6c0111 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefc6ddaa0 4 bytes [48, B8, 79, C2] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\System32\DNSAPI.dll!DnsQuery_A + 5 000007fefc6ddaa5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff0313b1 11 bytes [B8, 79, A6, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!closesocket 000007feff0318e0 12 bytes [48, B8, B9, A4, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff031bd1 11 bytes [B8, F9, A2, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff032201 11 bytes [B8, 39, E0, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff0323c0 12 bytes [48, B8, 39, 8C, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 79, 67, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!send + 1 000007feff038001 11 bytes [B8, 39, A1, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff038df0 7 bytes [48, B8, B9, 8F, 83, 75, 00] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff038df9 3 bytes [00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff03c090 12 bytes [48, B8, F9, 8D, 83, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff03de91 11 bytes [B8, 39, D9, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff03df41 11 bytes [B8, 79, DE, 83, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff05e0f1 11 bytes [B8, B9, DC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, 39, E7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 4 bytes [48, B8, B9, 6C] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 5 000007feff4e55cd 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 4 bytes [48, B8, F9, 6A] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 5 000007feff4fb861 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 4 bytes [48, B8, 79, 60] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 5 000007feff4fb9d5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 4 bytes [48, B8, B9, 5E] .text C:\Windows\system32\svchost.exe[1868] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 5 000007feff4fba41 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, EC, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, FF, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, F3, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, EF, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, E8, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, C7, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, C9, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, CB, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, E5, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff0313b1 11 bytes [B8, 79, A6, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!closesocket 000007feff0318e0 12 bytes [48, B8, B9, A4, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff031bd1 11 bytes [B8, F9, A2, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff032201 11 bytes [B8, 39, E0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff0323c0 12 bytes [48, B8, 39, 8C, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 79, 67, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!send + 1 000007feff038001 11 bytes [B8, 39, A1, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff038df0 7 bytes [48, B8, B9, 8F, 83, 75, 00] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff038df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff03c090 12 bytes [48, B8, F9, 8D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff03de91 11 bytes [B8, 39, D9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff03df41 11 bytes [B8, 79, DE, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff05e0f1 11 bytes [B8, B9, DC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc6b56e0 4 bytes [48, B8, F9, C5] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 + 5 000007fefc6b56e5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc6c010c 4 bytes [48, B8, 39, C4] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\DNSAPI.dll!DnsQuery_W + 5 000007fefc6c0111 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc6ddaa0 4 bytes [48, B8, 79, C2] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\DNSAPI.dll!DnsQuery_A + 5 000007fefc6ddaa5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175946619 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 0000000175946029 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945f91 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 00000001759466b1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175946749 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 0000000175947291 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946f01 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946ca1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175946581 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 0000000175946b71 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946dd1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 0000000175946a41 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 0000000175946159 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 00000001759460c1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 00000001759461f1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076763918 5 bytes JMP 0000000175945ef9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076763cd3 5 bytes JMP 0000000175945e61 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!socket 0000000076763eb8 5 bytes JMP 0000000175946f99 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076764406 5 bytes JMP 0000000175942139 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076764889 5 bytes JMP 0000000175945741 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!recv 0000000076766b0e 5 bytes JMP 0000000175947161 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!connect 0000000076766bdd 1 byte JMP 00000001759441e1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076766bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!send 0000000076766f01 5 bytes JMP 00000001759420a1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076767089 5 bytes JMP 00000001759471f9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007676cc3f 5 bytes JMP 00000001759470c9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007676d1ea 5 bytes JMP 00000001759457d9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076777673 5 bytes JMP 0000000175945871 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 00000001759474f1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000081401 2 bytes JMP 7688b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000081419 2 bytes JMP 7688b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000081431 2 bytes JMP 76908f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000008144a 2 bytes CALL 76864885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000000814dd 2 bytes JMP 76908802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000000814f5 2 bytes JMP 769089d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000008150d 2 bytes JMP 769086f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000081525 2 bytes JMP 76908ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000008153d 2 bytes JMP 7687fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000081555 2 bytes JMP 768868bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000008156d 2 bytes JMP 76908fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000081585 2 bytes JMP 76908b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000008159d 2 bytes JMP 769086bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000000815b5 2 bytes JMP 7687fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000000815cd 2 bytes JMP 7688b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000000816b2 2 bytes JMP 76908e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000000816bd 2 bytes JMP 76908651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175947589 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1992] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, E5, 83, 75] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, 79, EC, 83, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 4 bytes [48, B8, B9, 6C] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 5 000007feff4e55cd 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 4 bytes [48, B8, F9, 6A] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 5 000007feff4fb861 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 4 bytes [48, B8, 79, 60] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 5 000007feff4fb9d5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 4 bytes [48, B8, B9, 5E] .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 5 000007feff4fba41 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175945c99 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 00000001759456a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945611 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 0000000175945d31 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175945dc9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 0000000175946911 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946581 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946321 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175945c01 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 00000001759461f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946451 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 00000001759460c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 00000001759457d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 0000000175945741 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 0000000175945871 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000004378e2 5 bytes JMP 0000000075944441 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000000437bd3 5 bytes JMP 00000000759443a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000000438a29 5 bytes JMP 0000000075944f89 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000004398fd 5 bytes JMP 0000000075945a39 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000000043b6ed 5 bytes JMP 0000000075946ad9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000000043d22e 5 bytes JMP 0000000075945021 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000000043ee09 5 bytes JMP 00000000759434d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!FindWindowA 000000000043ffe6 5 bytes JMP 0000000075945909 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000004400d9 5 bytes JMP 00000000759459a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000004405ba 5 bytes JMP 0000000075944571 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000000440dfb 5 bytes JMP 00000000759450b9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000004412a5 5 bytes JMP 0000000075946a41 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000004420ec 5 bytes JMP 0000000075945449 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000000443baa 5 bytes JMP 00000000759469a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000000445f74 5 bytes JMP 00000000759444d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000000446285 5 bytes JMP 0000000075944bf9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000000447603 5 bytes JMP 0000000075942be9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000000447aee 5 bytes JMP 00000000759453b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000000044835c 5 bytes JMP 0000000075942b51 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000000045ce54 5 bytes JMP 00000000759451e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000000045f52b 5 bytes JMP 0000000075944c91 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000000045f588 5 bytes JMP 0000000075945ad1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000004610a0 5 bytes JMP 0000000075945151 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000000048fcd6 2 bytes JMP 0000000075945281 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000000048fcd9 2 bytes [4B, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000000048fcfa 5 bytes JMP 0000000075945319 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175946b71 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175946c09 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075b20179 5 bytes JMP 0000000175944d29 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000748d17fa 2 bytes CALL 768611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000748d1860 2 bytes CALL 768611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000748d1942 2 bytes JMP 76767089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000748d194d 2 bytes JMP 7676cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076763918 5 bytes JMP 0000000175945579 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076763cd3 5 bytes JMP 00000001759454e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!socket 0000000076763eb8 5 bytes JMP 0000000175946619 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076764406 5 bytes JMP 0000000175942139 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076764889 5 bytes JMP 0000000175944dc1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!recv 0000000076766b0e 5 bytes JMP 00000001759467e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!connect 0000000076766bdd 1 byte JMP 00000001759441e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076766bdf 3 bytes {CALL RBP} .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!send 0000000076766f01 5 bytes JMP 00000001759420a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076767089 5 bytes JMP 0000000175946879 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007676cc3f 5 bytes JMP 0000000175946749 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007676d1ea 5 bytes JMP 0000000175944e59 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076777673 5 bytes JMP 0000000175944ef1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000005d1401 2 bytes JMP 7688b1ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000005d1419 2 bytes JMP 7688b31a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000005d1431 2 bytes JMP 76908f09 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000005d144a 2 bytes CALL 76864885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000005d14dd 2 bytes JMP 76908802 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000005d14f5 2 bytes JMP 769089d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000005d150d 2 bytes JMP 769086f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000005d1525 2 bytes JMP 76908ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000005d153d 2 bytes JMP 7687fc78 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000005d1555 2 bytes JMP 768868bf C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000005d156d 2 bytes JMP 76908fc1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000005d1585 2 bytes JMP 76908b22 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000005d159d 2 bytes JMP 769086bc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000005d15b5 2 bytes JMP 7687fd11 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000005d15cd 2 bytes JMP 7688b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000005d16b2 2 bytes JMP 76908e84 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000005d16bd 2 bytes JMP 76908651 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, F9, 55, 83, 75, 00, 00] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, 5C, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, 5B, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, B9, 5E, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, 79, 60, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, 75, 83, 75] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 39, 69, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, 73, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 39, 70, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, B9, 6C, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, B9, 65, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 79, 4B, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, 39, 46, 83, 75, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 79, 52, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 79, 44, 83, 75, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, 39, 4D, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, F9, 47, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, B9, 49, 83, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2152] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175946619 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 0000000175946029 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945f91 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 00000001759466b1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175946749 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 0000000175947291 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946f01 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946ca1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175946581 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 0000000175946b71 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946dd1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 0000000175946a41 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 0000000175946159 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 00000001759460c1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 00000001759461f1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\MSVCRT.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175947459 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\MSVCRT.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\MSVCRT.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000004578e2 5 bytes JMP 0000000075944441 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000000457bd3 5 bytes JMP 00000000759443a9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000000458a29 5 bytes JMP 0000000075945909 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000004598fd 5 bytes JMP 00000000759463b9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000000045b6ed 1 byte JMP 00000000759474f1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 2 000000000045b6ef 3 bytes {JMP 0x754ebe04} .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000000045d22e 5 bytes JMP 00000000759459a1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000000045ee09 5 bytes JMP 00000000759434d1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!FindWindowA 000000000045ffe6 5 bytes JMP 0000000075946289 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000004600d9 5 bytes JMP 0000000075946321 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000004605ba 5 bytes JMP 0000000075944571 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000000460dfb 5 bytes JMP 0000000075945a39 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000004612a5 5 bytes JMP 00000000759473c1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000004620ec 5 bytes JMP 0000000075945dc9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000000463baa 5 bytes JMP 0000000075947329 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000000465f74 5 bytes JMP 00000000759444d9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000000466285 5 bytes JMP 0000000075944bf9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000000467603 5 bytes JMP 0000000075942be9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000000467aee 5 bytes JMP 0000000075945d31 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000000046835c 5 bytes JMP 0000000075942b51 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000000047ce54 5 bytes JMP 0000000075945b69 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000000047f52b 5 bytes JMP 0000000075944c91 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000000047f588 5 bytes JMP 0000000075946451 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000004810a0 5 bytes JMP 0000000075945ad1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000004afcd6 5 bytes JMP 0000000075945c01 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000004afcfa 5 bytes JMP 0000000075945c99 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175947589 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe[2184] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075b20179 5 bytes JMP 0000000175944d29 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, 39, E7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 4 bytes [48, B8, B9, 6C] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 5 000007feff4e55cd 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 4 bytes [48, B8, F9, 6A] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 5 000007feff4fb861 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 4 bytes [48, B8, 79, 60] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 5 000007feff4fb9d5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 4 bytes [48, B8, B9, 5E] .text C:\Windows\system32\svchost.exe[2336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 5 000007feff4fba41 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175945c99 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 00000001759456a9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945611 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 0000000175945d31 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175945dc9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 0000000175946911 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946581 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946321 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175945c01 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 00000001759461f1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946451 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 00000001759460c1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 00000001759457d9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 0000000175945741 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 0000000175945871 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175946b71 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175946c09 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000008878e2 5 bytes JMP 0000000075944441 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000000887bd3 5 bytes JMP 00000000759443a9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000000888a29 5 bytes JMP 0000000075944f89 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000008898fd 5 bytes JMP 0000000075945a39 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000000088b6ed 5 bytes JMP 0000000075946ca1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000000088d22e 5 bytes JMP 0000000075945021 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000000088ee09 5 bytes JMP 00000000759434d1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowA 000000000088ffe6 5 bytes JMP 0000000075945909 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000008900d9 5 bytes JMP 00000000759459a1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000008905ba 5 bytes JMP 0000000075944571 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000000890dfb 5 bytes JMP 00000000759450b9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000008912a5 5 bytes JMP 0000000075946a41 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000008920ec 5 bytes JMP 0000000075945449 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000000893baa 5 bytes JMP 00000000759469a9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000000895f74 5 bytes JMP 00000000759444d9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000000896285 5 bytes JMP 0000000075944bf9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000000897603 5 bytes JMP 0000000075942be9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000000897aee 5 bytes JMP 00000000759453b1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000000089835c 5 bytes JMP 0000000075942b51 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000008ace54 5 bytes JMP 00000000759451e9 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000008af52b 5 bytes JMP 0000000075944c91 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000008af588 5 bytes JMP 0000000075945ad1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000008b10a0 5 bytes JMP 0000000075945151 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000008dfcd6 2 bytes JMP 0000000075945281 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000008dfcd9 2 bytes [06, 75] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000008dfcfa 5 bytes JMP 0000000075945319 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075b20179 5 bytes JMP 0000000175944d29 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076763918 5 bytes JMP 0000000175945579 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076763cd3 5 bytes JMP 00000001759454e1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!socket 0000000076763eb8 5 bytes JMP 0000000175946619 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076764406 5 bytes JMP 0000000175942139 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076764889 5 bytes JMP 0000000175944dc1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!recv 0000000076766b0e 5 bytes JMP 00000001759467e1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!connect 0000000076766bdd 1 byte JMP 00000001759441e1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076766bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!send 0000000076766f01 5 bytes JMP 00000001759420a1 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076767089 5 bytes JMP 0000000175946879 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007676cc3f 5 bytes JMP 0000000175946749 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007676d1ea 5 bytes JMP 0000000175944e59 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2456] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076777673 5 bytes JMP 0000000175944ef1 .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, F0, 12, 0E, 01] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2520] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007710b861 11 bytes [B8, F0, 12, 9B, 01, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, E5, 83, 75] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, EA, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 4 bytes [48, B8, B9, 6C] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 5 000007feff4e55cd 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 4 bytes [48, B8, F9, 6A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 5 000007feff4fb861 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 4 bytes [48, B8, 79, 60] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 5 000007feff4fb9d5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 4 bytes [48, B8, B9, 5E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 5 000007feff4fba41 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff0313b1 11 bytes [B8, 79, A6, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!closesocket 000007feff0318e0 12 bytes [48, B8, B9, A4, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff031bd1 11 bytes [B8, F9, A2, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff032201 11 bytes [B8, 39, E0, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff0323c0 12 bytes [48, B8, 39, 8C, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 79, 67, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!send + 1 000007feff038001 11 bytes [B8, 39, A1, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff038df0 7 bytes [48, B8, B9, 8F, 83, 75, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff038df9 3 bytes [00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff03c090 12 bytes [48, B8, F9, 8D, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff03de91 11 bytes [B8, 39, D9, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff03df41 11 bytes [B8, 79, DE, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff05e0f1 11 bytes [B8, B9, DC, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1192] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175946619 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 0000000175946029 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945f91 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 00000001759466b1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175946749 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 0000000175947291 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946f01 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946ca1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175946581 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 0000000175946b71 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946dd1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 0000000175946a41 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 0000000175946159 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 00000001759460c1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 00000001759461f1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175947459 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000004f78e2 5 bytes JMP 0000000075944441 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000004f7bd3 5 bytes JMP 00000000759443a9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000004f8a29 5 bytes JMP 0000000075945909 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000004f98fd 5 bytes JMP 00000000759463b9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000004fb6ed 1 byte JMP 00000000759474f1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 2 00000000004fb6ef 3 bytes {JMP 0x7544be04} .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000004fd22e 5 bytes JMP 00000000759459a1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000004fee09 5 bytes JMP 00000000759434d1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000004fffe6 5 bytes JMP 0000000075946289 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000005000d9 5 bytes JMP 0000000075946321 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000005005ba 5 bytes JMP 0000000075944571 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000000500dfb 5 bytes JMP 0000000075945a39 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000005012a5 5 bytes JMP 00000000759473c1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000005020ec 5 bytes JMP 0000000075945dc9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000000503baa 5 bytes JMP 0000000075947329 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000000505f74 5 bytes JMP 00000000759444d9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000000506285 5 bytes JMP 0000000075944bf9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000000507603 5 bytes JMP 0000000075942be9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000000507aee 5 bytes JMP 0000000075945d31 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000000050835c 5 bytes JMP 0000000075942b51 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000000051ce54 5 bytes JMP 0000000075945b69 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000000051f52b 5 bytes JMP 0000000075944c91 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000000051f588 5 bytes JMP 0000000075946451 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000005210a0 5 bytes JMP 0000000075945ad1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000000054fcd6 5 bytes JMP 0000000075945c01 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000000054fcfa 5 bytes JMP 0000000075945c99 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175947589 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Windows\vsnpstd3.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, D9, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, C5, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, C4, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, DA, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, DC, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, 01, 84, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, EC, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, FF, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, F3, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, EF, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, E8, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, C7, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, C9, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, CB, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, E5, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2480] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, E5, 83, 75] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007748f8ec 5 bytes JMP 0000000175946619 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175945c99 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 00000001759456a9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945611 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 0000000175945d31 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175945dc9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 00000001759469a9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946581 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946321 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175945c01 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 00000001759461f1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946451 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 00000001759460c1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 00000001759457d9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 0000000175945741 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 0000000175945871 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175946b71 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000003c78e2 5 bytes JMP 0000000075944441 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000003c7bd3 5 bytes JMP 00000000759443a9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000003c8a29 5 bytes JMP 0000000075944f89 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000003c98fd 5 bytes JMP 0000000075945a39 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000003cb6ed 5 bytes JMP 0000000075946c09 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000003cd22e 5 bytes JMP 0000000075945021 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000003cee09 5 bytes JMP 00000000759434d1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000003cffe6 5 bytes JMP 0000000075945909 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000003d00d9 5 bytes JMP 00000000759459a1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000003d05ba 5 bytes JMP 0000000075944571 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000003d0dfb 5 bytes JMP 00000000759450b9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000003d12a5 5 bytes JMP 0000000075946ad9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000003d20ec 5 bytes JMP 0000000075945449 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000003d3baa 5 bytes JMP 0000000075946a41 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000003d5f74 5 bytes JMP 00000000759444d9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000003d6285 5 bytes JMP 0000000075944bf9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000003d7603 5 bytes JMP 0000000075942be9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000003d7aee 5 bytes JMP 00000000759453b1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000003d835c 5 bytes JMP 0000000075942b51 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000003ece54 5 bytes JMP 00000000759451e9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000003ef52b 5 bytes JMP 0000000075944c91 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000003ef588 5 bytes JMP 0000000075945ad1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000003f10a0 5 bytes JMP 0000000075945151 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000000041fcd6 2 bytes JMP 0000000075945281 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000000041fcd9 2 bytes [52, 75] .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000000041fcfa 5 bytes JMP 0000000075945319 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175946ca1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075b20179 5 bytes JMP 0000000175944d29 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076763918 5 bytes JMP 0000000175945579 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076763cd3 5 bytes JMP 00000001759454e1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!socket 0000000076763eb8 5 bytes JMP 00000001759466b1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076764406 5 bytes JMP 0000000175942139 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076764889 5 bytes JMP 0000000175944dc1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!recv 0000000076766b0e 5 bytes JMP 0000000175946879 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!connect 0000000076766bdd 1 byte JMP 00000001759441e1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076766bdf 3 bytes {CALL RBP} .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!send 0000000076766f01 5 bytes JMP 00000001759420a1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076767089 5 bytes JMP 0000000175946911 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007676cc3f 5 bytes JMP 00000001759467e1 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007676d1ea 5 bytes JMP 0000000175944e59 .text C:\Users\dibox\AppData\Local\GG\Application\gghub.exe[3096] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076777673 5 bytes JMP 0000000175944ef1 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772df4a0 6 bytes [48, B8, 79, E5, 83, 75] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000772df4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHJE.EXE[3168] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, F0, 12, 25, 02] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3192] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007710b861 11 bytes [B8, F0, 12, 3B, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff0313b1 11 bytes [B8, 79, A6, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!closesocket 000007feff0318e0 12 bytes [48, B8, B9, A4, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff031bd1 11 bytes [B8, F9, A2, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff032201 11 bytes [B8, 39, E0, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff0323c0 12 bytes [48, B8, 39, 8C, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 79, 67, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!send + 1 000007feff038001 11 bytes [B8, 39, A1, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff038df0 7 bytes [48, B8, B9, 8F, 83, 75, 00] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff038df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff03c090 12 bytes [48, B8, F9, 8D, 83, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff03de91 11 bytes [B8, 39, D9, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff03df41 11 bytes [B8, 79, DE, 83, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3692] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff05e0f1 11 bytes [B8, B9, DC, 83, 75, 00, 00, ...] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175946619 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 0000000175946029 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945f91 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 00000001759466b1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175946749 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 0000000175947291 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946f01 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946ca1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175946581 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 0000000175946b71 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946dd1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 0000000175946a41 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 0000000175946159 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 00000001759460c1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 00000001759461f1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000005e78e2 5 bytes JMP 0000000075944441 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000005e7bd3 5 bytes JMP 00000000759443a9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000005e8a29 5 bytes JMP 0000000075945909 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000005e98fd 5 bytes JMP 00000000759463b9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000005eb6ed 5 bytes JMP 0000000075947459 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000005ed22e 5 bytes JMP 00000000759459a1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000005eee09 5 bytes JMP 00000000759434d1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000005effe6 5 bytes JMP 0000000075946289 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000005f00d9 5 bytes JMP 0000000075946321 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000005f05ba 5 bytes JMP 0000000075944571 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000005f0dfb 5 bytes JMP 0000000075945a39 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000005f12a5 5 bytes JMP 00000000759473c1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000005f20ec 5 bytes JMP 0000000075945dc9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000005f3baa 5 bytes JMP 0000000075947329 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000005f5f74 5 bytes JMP 00000000759444d9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000005f6285 5 bytes JMP 0000000075944bf9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000005f7603 5 bytes JMP 0000000075942be9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000005f7aee 5 bytes JMP 0000000075945d31 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000005f835c 5 bytes JMP 0000000075942b51 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000000060ce54 5 bytes JMP 0000000075945b69 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000000060f52b 5 bytes JMP 0000000075944c91 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000000060f588 5 bytes JMP 0000000075946451 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000006110a0 5 bytes JMP 0000000075945ad1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000000063fcd6 5 bytes JMP 0000000075945c01 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000000063fcfa 5 bytes JMP 0000000075945c99 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 00000001759474f1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175947589 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075b20179 5 bytes JMP 0000000175944d29 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000000932b30 5 bytes JMP 00000000759476b9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 000000000096f810 5 bytes JMP 0000000075944149 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 000000000096ffd0 5 bytes JMP 00000000759421d1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 00000000009eef00 5 bytes JMP 0000000075942ab9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076763918 5 bytes JMP 0000000175945ef9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076763cd3 5 bytes JMP 0000000175945e61 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!socket 0000000076763eb8 5 bytes JMP 0000000175946f99 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076764406 5 bytes JMP 0000000175942139 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076764889 5 bytes JMP 0000000175945741 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!recv 0000000076766b0e 5 bytes JMP 0000000175947161 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!connect 0000000076766bdd 1 byte JMP 00000001759441e1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076766bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!send 0000000076766f01 5 bytes JMP 00000001759420a1 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076767089 5 bytes JMP 00000001759471f9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007676cc3f 5 bytes JMP 00000001759470c9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007676d1ea 5 bytes JMP 00000001759457d9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076777673 5 bytes JMP 0000000175945871 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000004741401 2 bytes JMP 7688b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000004741419 2 bytes JMP 7688b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000004741431 2 bytes JMP 76908f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000474144a 2 bytes CALL 76864885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000047414dd 2 bytes JMP 76908802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000047414f5 2 bytes JMP 769089d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000474150d 2 bytes JMP 769086f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000004741525 2 bytes JMP 76908ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000474153d 2 bytes JMP 7687fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000004741555 2 bytes JMP 768868bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000474156d 2 bytes JMP 76908fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000004741585 2 bytes JMP 76908b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000474159d 2 bytes JMP 769086bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000047415b5 2 bytes JMP 7687fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000047415cd 2 bytes JMP 7688b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000047416b2 2 bytes JMP 76908e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000047416bd 2 bytes JMP 76908651 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [3884] entry point in ".rdata" section 00000000721b71e6 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4008] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772c6741 7 bytes [B8, 39, 69, 83, 75, 00, 00] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000772c674a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772ddcc0 6 bytes [48, B8, 39, BD, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772ddcc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772ddd90 6 bytes [48, B8, F9, A9, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000772ddd98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772dde30 6 bytes [48, B8, F9, 32, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772dde38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772dde50 6 bytes [48, B8, 39, 1C, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772dde58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772dde70 6 bytes [48, B8, F9, 1D, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772dde78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772dde90 6 bytes [48, B8, 39, A8, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000772dde98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772ddf70 6 bytes [48, B8, 79, 2F, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000772ddf78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772ddf90 6 bytes [48, B8, 79, 36, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000772ddf98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772de020 6 bytes [48, B8, B9, 34, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000772de028 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000772de0a0 6 bytes [48, B8, 39, 2A, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000772de0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772de0b0 6 bytes [48, B8, B9, 26, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000772de0b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000772de5f0 6 bytes [48, B8, 79, 28, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000772de5f8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772de650 6 bytes [48, B8, F9, 24, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000772de658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772de9c0 6 bytes [48, B8, F9, BE, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000772de9c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000772def00 6 bytes [48, B8, 79, 83, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000772def08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772df100 6 bytes [48, B8, 39, 31, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000772df108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772df2c0 6 bytes [48, B8, B9, C0, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000772df2c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772df3a0 6 bytes [48, B8, 79, 3D, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000772df3a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772df3b0 6 bytes [48, B8, B9, 3B, 83, 75] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000772df3b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007734ea21 11 bytes [B8, 39, 85, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff0313b1 11 bytes [B8, 79, A6, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!closesocket 000007feff0318e0 12 bytes [48, B8, B9, A4, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff031bd1 11 bytes [B8, F9, A2, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff032201 11 bytes [B8, 39, E0, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff0323c0 12 bytes [48, B8, 39, 8C, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 79, 67, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!send + 1 000007feff038001 11 bytes [B8, 39, A1, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff038df0 7 bytes [48, B8, B9, 8F, 83, 75, 00] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff038df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff03c090 12 bytes [48, B8, F9, 8D, 83, 75, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff03de91 11 bytes [B8, 39, D9, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff03df41 11 bytes [B8, 79, DE, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff05e0f1 11 bytes [B8, B9, DC, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, F9, E8, 83, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 4 bytes [48, B8, B9, 6C] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 5 000007feff4e55cd 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 4 bytes [48, B8, F9, 6A] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 5 000007feff4fb861 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 4 bytes [48, B8, 79, 60] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 5 000007feff4fb9d5 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 4 bytes [48, B8, B9, 5E] .text C:\Windows\System32\svchost.exe[4100] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 5 000007feff4fba41 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175945c99 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 00000001759456a9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945611 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 0000000175945d31 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175945dc9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 0000000175946911 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946581 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946321 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175945c01 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 00000001759461f1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946451 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 00000001759460c1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 00000001759457d9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 0000000175945741 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 0000000175945871 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175946ad9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175946b71 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076763918 5 bytes JMP 0000000175945579 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076763cd3 5 bytes JMP 00000001759454e1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!socket 0000000076763eb8 5 bytes JMP 0000000175946619 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076764406 5 bytes JMP 0000000175942139 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076764889 5 bytes JMP 0000000175944dc1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!recv 0000000076766b0e 5 bytes JMP 00000001759467e1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!connect 0000000076766bdd 1 byte JMP 00000001759441e1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076766bdf 3 bytes {CALL RBP} .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!send 0000000076766f01 5 bytes JMP 00000001759420a1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076767089 5 bytes JMP 0000000175946879 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007676cc3f 5 bytes JMP 0000000175946749 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007676d1ea 5 bytes JMP 0000000175944e59 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076777673 5 bytes JMP 0000000175944ef1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000005a78e2 5 bytes JMP 0000000075944441 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000005a7bd3 5 bytes JMP 00000000759443a9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000005a8a29 5 bytes JMP 0000000075944f89 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000005a98fd 5 bytes JMP 0000000075945a39 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000005ab6ed 5 bytes JMP 0000000075946ca1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000005ad22e 5 bytes JMP 0000000075945021 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000005aee09 5 bytes JMP 00000000759434d1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000005affe6 5 bytes JMP 0000000075945909 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000005b00d9 5 bytes JMP 00000000759459a1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000005b05ba 5 bytes JMP 0000000075944571 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000005b0dfb 5 bytes JMP 00000000759450b9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000005b12a5 5 bytes JMP 0000000075946a41 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000005b20ec 5 bytes JMP 0000000075945449 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000005b3baa 5 bytes JMP 00000000759469a9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000005b5f74 5 bytes JMP 00000000759444d9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000005b6285 5 bytes JMP 0000000075944bf9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000005b7603 5 bytes JMP 0000000075942be9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000005b7aee 5 bytes JMP 00000000759453b1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000005b835c 5 bytes JMP 0000000075942b51 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000005cce54 5 bytes JMP 00000000759451e9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000005cf52b 5 bytes JMP 0000000075944c91 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000005cf588 5 bytes JMP 0000000075945ad1 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000005d10a0 5 bytes JMP 0000000075945151 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000005ffcd6 2 bytes JMP 0000000075945281 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000005ffcd9 2 bytes [34, 75] .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000005ffcfa 5 bytes JMP 0000000075945319 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075b20179 5 bytes JMP 0000000175944d29 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000401401 2 bytes JMP 7688b1ef C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000401419 2 bytes JMP 7688b31a C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000401431 2 bytes JMP 76908f09 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000040144a 2 bytes CALL 76864885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000004014dd 2 bytes JMP 76908802 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000004014f5 2 bytes JMP 769089d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000040150d 2 bytes JMP 769086f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000401525 2 bytes JMP 76908ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000040153d 2 bytes JMP 7687fc78 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000401555 2 bytes JMP 768868bf C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000040156d 2 bytes JMP 76908fc1 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000401585 2 bytes JMP 76908b22 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000040159d 2 bytes JMP 769086bc C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000004015b5 2 bytes JMP 7687fd11 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000004015cd 2 bytes JMP 7688b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000004016b2 2 bytes JMP 76908e84 C:\Windows\syswow64\kernel32.dll .text C:\Users\dibox\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000004016bd 2 bytes JMP 76908651 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077071b21 11 bytes [B8, 79, BB, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077071c10 12 bytes [48, B8, F9, 39, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077072b61 8 bytes [B8, 79, D0, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077072b6a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708dbc0 12 bytes [48, B8, B9, 2D, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077090941 11 bytes [B8, B9, E3, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000770c5331 11 bytes [B8, B9, 7A, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000770c5351 11 bytes [B8, 39, 77, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000770da660 12 bytes [48, B8, B9, 81, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000770da770 12 bytes [48, B8, 39, 7E, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 00000000770ff511 11 bytes [B8, 79, D7, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 00000000770ff711 11 bytes [B8, F9, D3, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 00000000770ff741 8 bytes [B8, F9, CC, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 00000000770ff74a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd171861 3 bytes [B8, 79, 52] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 5 000007fefd171865 7 bytes [75, 00, 00, 00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd1730f1 11 bytes [B8, F9, B0, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd178c00 12 bytes [48, B8, B9, 50, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd17b591 11 bytes [B8, B9, AB, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd182361 11 bytes [B8, F9, 4E, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd18a590 12 bytes [48, B8, 79, AD, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd18ac01 11 bytes [B8, 39, AF, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd1a42e0 12 bytes [48, B8, B9, 42, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd1b0ba1 11 bytes [B8, 79, C9, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd1b2801 8 bytes [B8, 39, 23, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd1b280a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd1b2841 11 bytes [B8, F9, 40, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd41642d 11 bytes [B8, 39, 5B, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd416484 12 bytes [48, B8, F9, 55, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd416519 11 bytes [B8, 39, 62, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd416c34 12 bytes [48, B8, 39, 54, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd417ab5 11 bytes [B8, F9, 5C, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd418b01 11 bytes [B8, B9, 57, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd418c39 11 bytes [B8, 79, 59, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff0313b1 11 bytes [B8, 79, A6, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!closesocket 000007feff0318e0 12 bytes [48, B8, B9, A4, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff031bd1 11 bytes [B8, F9, A2, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff032201 11 bytes [B8, 39, E0, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff0323c0 12 bytes [48, B8, 39, 8C, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!connect 000007feff0345c0 12 bytes [48, B8, 79, 67, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!send + 1 000007feff038001 11 bytes [B8, 39, A1, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff038df0 7 bytes [48, B8, B9, 8F, 83, 75, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff038df9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff03c090 12 bytes [48, B8, F9, 8D, 83, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff03de91 11 bytes [B8, 39, D9, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff03df41 11 bytes [B8, 79, DE, 83, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3496] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff05e0f1 11 bytes [B8, B9, DC, 83, 75, 00, 00, ...] .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007748f8ec 5 bytes JMP 0000000175946619 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007748f9dc 5 bytes JMP 0000000175945c99 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007748fb24 5 bytes JMP 00000001759456a9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007748fc1c 5 bytes JMP 00000001759431d9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007748fc4c 5 bytes JMP 00000001759415f1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007748fc7c 5 bytes JMP 0000000175941689 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcac 5 bytes JMP 0000000175945611 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007748fe10 5 bytes JMP 00000001759430a9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007748fe40 5 bytes JMP 0000000175943309 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007748ff20 5 bytes JMP 0000000175943271 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007748ffe8 5 bytes JMP 0000000175942ee1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077490000 5 bytes JMP 0000000175942db1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774900b0 5 bytes JMP 0000000175941ed9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774901c0 5 bytes JMP 0000000175942301 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077490810 5 bytes JMP 0000000175942e49 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774908a0 5 bytes JMP 0000000175942d19 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077490df0 5 bytes JMP 0000000175945d31 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077491600 5 bytes JMP 0000000175944ac9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007749191c 5 bytes JMP 0000000175943141 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077491be0 5 bytes JMP 0000000175945dc9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077491d50 5 bytes JMP 0000000175943439 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077491d6c 5 bytes JMP 00000001759433a1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077491ee4 5 bytes JMP 00000001759469a9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774a4924 5 bytes JMP 0000000175941ab1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000774d0edb 5 bytes JMP 0000000175942009 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007751886f 5 bytes JMP 0000000175944b61 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007751eb0b 5 bytes JMP 0000000175941f71 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 0000000175941da9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 0000000175942a21 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000076864977 5 bytes JMP 00000001759425f9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873b93 5 bytes JMP 0000000175943011 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879a74 5 bytes JMP 0000000175946581 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879ad5 5 bytes JMP 0000000175946321 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768872f7 5 bytes JMP 0000000175942729 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888aa 5 bytes JMP 0000000175945c01 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccb1 5 bytes JMP 00000001759461f1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688ccd1 5 bytes JMP 0000000175946451 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e3041 5 bytes JMP 00000001759428f1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000769074fb 5 bytes JMP 00000001759446a1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 000000007690751e 5 bytes JMP 00000001759447d1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769078c9 5 bytes JMP 0000000175944901 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907942 5 bytes JMP 0000000175944a31 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076968f8d 5 bytes JMP 0000000175941a19 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007696c436 5 bytes JMP 0000000175943b59 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007696eca6 5 bytes JMP 0000000175943601 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007696f206 5 bytes JMP 0000000175942399 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007696fa89 5 bytes JMP 0000000175941e41 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007696fbb7 5 bytes JMP 00000001759460c1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076971358 5 bytes JMP 0000000175943ac1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007697137f 5 bytes JMP 0000000175943a29 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076971d29 5 bytes JMP 0000000175941981 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076971e15 5 bytes JMP 00000001759424c9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076972ab1 5 bytes JMP 00000001759457d9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076972cd9 5 bytes JMP 0000000175945741 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076972d17 5 bytes JMP 0000000175945871 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076972e7a 5 bytes JMP 00000001759418e9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076973b70 5 bytes JMP 0000000175942269 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076974496 5 bytes JMP 0000000175942431 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076974608 5 bytes JMP 0000000175943569 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076974631 5 bytes JMP 0000000175942c81 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007697c734 5 bytes JMP 00000001759427c1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076b5c9ec 5 bytes JMP 0000000175943c89 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076b62b70 5 bytes JMP 0000000175943bf1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076b6361c 5 bytes JMP 00000001759440b1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076b64965 5 bytes JMP 0000000175946b71 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076b770c4 5 bytes JMP 0000000175944311 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076b770dc 5 bytes JMP 0000000175943e51 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076b770f4 5 bytes JMP 0000000175943ee9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076b931f4 5 bytes JMP 0000000175943f81 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076b93204 5 bytes JMP 0000000175944019 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076b93214 5 bytes JMP 0000000175943d21 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076b93224 5 bytes JMP 0000000175943db9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076b93264 5 bytes JMP 0000000175944279 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d4a472 5 bytes JMP 0000000175946c09 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d527ce 5 bytes JMP 0000000175941be1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d5e6cf 5 bytes JMP 0000000175941b49 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000004f78e2 5 bytes JMP 0000000075944441 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000004f7bd3 5 bytes JMP 00000000759443a9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000004f8a29 5 bytes JMP 0000000075944f89 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000004f98fd 5 bytes JMP 0000000075945a39 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000004fb6ed 5 bytes JMP 0000000075946ca1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000004fd22e 5 bytes JMP 0000000075945021 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000004fee09 5 bytes JMP 00000000759434d1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000004fffe6 5 bytes JMP 0000000075945909 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000005000d9 5 bytes JMP 00000000759459a1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000005005ba 5 bytes JMP 0000000075944571 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000000500dfb 5 bytes JMP 00000000759450b9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000005012a5 5 bytes JMP 0000000075946ad9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000005020ec 5 bytes JMP 0000000075945449 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000000503baa 5 bytes JMP 0000000075946a41 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000000505f74 5 bytes JMP 00000000759444d9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000000506285 5 bytes JMP 0000000075944bf9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000000507603 5 bytes JMP 0000000075942be9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000000507aee 5 bytes JMP 00000000759453b1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000000050835c 5 bytes JMP 0000000075942b51 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000000051ce54 5 bytes JMP 00000000759451e9 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000000051f52b 5 bytes JMP 0000000075944c91 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000000051f588 5 bytes JMP 0000000075945ad1 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000005210a0 5 bytes JMP 0000000075945151 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000000054fcd6 2 bytes JMP 0000000075945281 .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000000054fcd9 2 bytes [3F, 75] .text C:\Users\dibox\Desktop\do naprawy win\gmer\gmer.exe[3784] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000000054fcfa 5 bytes JMP 0000000075945319 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef59a741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef59a5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef59a5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef59a5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef59a7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef59a6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef59a6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef59a7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef59a7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef59a78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef59a4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef59a5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2568] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef59a7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Library \\?\C:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [840] (FILE NOT FOUND) 000007fefb4c0000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2152] (GG drive overlay/GG Network S.A.)(2012-10-12 17:13:12) 000000005c080000 Library C:\Users\dibox\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2152] (GG drive menu/GG Network S.A.)(201 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0x6B 0x20 0x7F ... Reg HKLM\SYSTEM\ControlSet002\Control@PreshutdownOrder wuauserv?gpsvc?trustedinstaller? Reg HKLM\SYSTEM\ControlSet002\Control@WaitToKillServiceTimeout 12000 Reg HKLM\SYSTEM\ControlSet002\Control@CurrentUser USERNAME Reg HKLM\SYSTEM\ControlSet002\Control@BootDriverFlags 0 Reg HKLM\SYSTEM\ControlSet002\Control@ServiceControlManagerExtension %systemroot%\system32\scext.dll Reg HKLM\SYSTEM\ControlSet002\Control@SystemStartOptions NOEXECUTE=OPTIN Reg HKLM\SYSTEM\ControlSet002\Control@SystemBootDevice multi(0)disk(0)rdisk(0)partition(2) Reg HKLM\SYSTEM\ControlSet002\Control@FirmwareBootDevice multi(0)disk(0)rdisk(0)partition(1) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0x6B 0x20 0x7F ... ---- EOF - GMER 2.1 ----