GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-03 00:21:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000065 WDC_WD50 rev.01.0 465,76GB Running: gmer.exe; Driver: C:\Users\GREGOR~1\AppData\Local\Temp\uflyikod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000115600 7 bytes [00, 66, F3, FF, 01, 70, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000115608 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7688b233 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7688b35e C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 76909011 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 768648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 7690890a C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 76908ae0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 76908800 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 76908bca C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7687fcc0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076de1555 2 bytes JMP 76886907 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 769090c9 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 76908c2a C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 769087c4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7687fd59 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7688b2f4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 76908f8c C:\Windows\syswow64\kernel32.dll .text D:\Programy\Advanced SystemCare Ultimate\ascavsvc.exe[928] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 76908759 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7688b233 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7688b35e C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 76909011 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 768648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 7690890a C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 76908ae0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 76908800 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 76908bca C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7687fcc0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076de1555 2 bytes JMP 76886907 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 769090c9 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 76908c2a C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 769087c4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7687fd59 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7688b2f4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 76908f8c C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMFsrv.exe[996] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 76908759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2016\vsserv.exe[512] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007782b891 11 bytes [B8, F0, 12, AA, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, 62, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 50, 21, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, CC, 1D, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 24, 20, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, E6, 21, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, BA, 20, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 12, 23, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, 8E, 1F, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, 36, 1D, 02] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, 7C, 22, 02, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, 48, 1A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, DE, 1A, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 74, 1B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, 82, 3A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, C0, 38, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, DA, 3C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 2A, 38, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 18, 3B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, 56, 39, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, EC, 39, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, A8, 23, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, D2, 35, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 68, 36, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, FE, 36, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 8A, 41, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 9C, 3E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, 4C, 43, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 32, 3F, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, F4, 40, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 20, 42, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, B6, 42, 02, 00] .text ... * 2 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, 94, 37, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 06, 3E, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, 5E, 40, 02, 00, 00, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, 70, 3D, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 44, 3C, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, AE, 3B, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefe8a13b1 11 bytes [B8, 92, 48, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe8a18e0 12 bytes [48, B8, FC, 47, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefe8a1bd1 11 bytes [B8, 66, 47, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefe8a2201 11 bytes [B8, EA, 4A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe8a23c0 12 bytes [48, B8, 0E, 45, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!connect 000007fefe8a45c0 12 bytes [48, B8, 78, 44, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!send + 1 000007fefe8a8001 11 bytes [B8, D0, 46, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe8a8df0 7 bytes [48, B8, 3A, 46, 02, 00, 00] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefe8a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe8ac090 12 bytes [48, B8, A4, 45, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefe8ade91 11 bytes [B8, 28, 49, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefe8adf41 11 bytes [B8, 54, 4A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefe8ce0f1 11 bytes [B8, BE, 49, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, 62, 1E, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 50, 21, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, CC, 1D, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 24, 20, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, E6, 21, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, BA, 20, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 12, 23, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, 8E, 1F, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, 36, 1D, 02] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, 7C, 22, 02, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, 48, 1A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, DE, 1A, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 74, 1B, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, 82, 3A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, C0, 38, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, DA, 3C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 2A, 38, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 18, 3B, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, 56, 39, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, EC, 39, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, A8, 23, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, D2, 35, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 68, 36, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, FE, 36, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 8A, 41, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 9C, 3E, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, 4C, 43, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 32, 3F, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, F4, 40, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 20, 42, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, B6, 42, 02, 00] .text ... * 2 .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, 94, 37, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 06, 3E, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, 5E, 40, 02, 00, 00, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, 70, 3D, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 44, 3C, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, AE, 3B, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefe8a13b1 11 bytes [B8, 28, 49, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe8a18e0 12 bytes [48, B8, 92, 48, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefe8a1bd1 11 bytes [B8, FC, 47, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefe8a2201 11 bytes [B8, 80, 4B, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe8a23c0 12 bytes [48, B8, A4, 45, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!connect 000007fefe8a45c0 12 bytes [48, B8, 0E, 45, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!send + 1 000007fefe8a8001 11 bytes [B8, 66, 47, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe8a8df0 7 bytes [48, B8, D0, 46, 02, 00, 00] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefe8a8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe8ac090 12 bytes [48, B8, 3A, 46, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefe8ade91 11 bytes [B8, BE, 49, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefe8adf41 11 bytes [B8, EA, 4A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefe8ce0f1 11 bytes [B8, 54, 4A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb3422e0 12 bytes [48, B8, AC, 4C, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb3445f8 12 bytes [48, B8, 16, 4C, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] c:\windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb353e3c 12 bytes [48, B8, 42, 4D, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefcc956e0 12 bytes [48, B8, 9A, 4F, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefcca010c 12 bytes [48, B8, 04, 4F, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2212] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefccbdaa0 12 bytes [48, B8, 6E, 4E, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, 62, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 50, 21, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, CC, 1D, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 24, 20, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, E6, 21, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, BA, 20, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 12, 23, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, 8E, 1F, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, 36, 1D, 02] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, 7C, 22, 02, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, 48, 1A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, DE, 1A, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 74, 1B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, 82, 3A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, C0, 38, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, DA, 3C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 2A, 38, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 18, 3B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, 56, 39, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, EC, 39, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, A8, 23, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, D2, 35, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 68, 36, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, FE, 36, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 8A, 41, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 9C, 3E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, 4C, 43, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 32, 3F, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, F4, 40, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 20, 42, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, B6, 42, 02, 00] .text ... * 2 .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, 94, 37, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 06, 3E, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, 5E, 40, 02, 00, 00, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, 70, 3D, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 44, 3C, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, AE, 3B, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefe8a13b1 11 bytes [B8, 92, 48, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe8a18e0 12 bytes [48, B8, FC, 47, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefe8a1bd1 11 bytes [B8, 66, 47, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefe8a2201 11 bytes [B8, EA, 4A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe8a23c0 12 bytes [48, B8, 0E, 45, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!connect 000007fefe8a45c0 12 bytes [48, B8, 78, 44, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!send + 1 000007fefe8a8001 11 bytes [B8, D0, 46, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe8a8df0 7 bytes [48, B8, 3A, 46, 02, 00, 00] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefe8a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe8ac090 12 bytes [48, B8, A4, 45, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefe8ade91 11 bytes [B8, 28, 49, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefe8adf41 11 bytes [B8, 54, 4A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefe8ce0f1 11 bytes [B8, BE, 49, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb3422e0 12 bytes [48, B8, AC, 4C, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb3445f8 12 bytes [48, B8, 16, 4C, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2248] C:\Windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb353e3c 12 bytes [48, B8, 42, 4D, 02, 00, 00, ...] .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077aaf9c8 5 bytes JMP 00000001000209a8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aafa80 5 bytes JMP 0000000100020700 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077aafbc8 5 bytes JMP 0000000100020656 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000077aafc48 5 bytes JMP 00000001000208fe .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077aafcc0 5 bytes JMP 00000001000203f2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077aafcf0 5 bytes JMP 0000000100020018 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077aafd20 5 bytes JMP 000000010002003a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077aafd50 5 bytes JMP 0000000100020634 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077aafe68 5 bytes JMP 0000000100020986 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077aafeb4 5 bytes JMP 00000001000203ae .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077aafee4 5 bytes JMP 0000000100020436 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077aaff60 5 bytes JMP 0000000100020810 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077aaffc4 5 bytes JMP 0000000100020414 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077ab0044 5 bytes JMP 00000001000209ca .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077ab008c 5 bytes JMP 000000010002036a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ab00a4 5 bytes JMP 0000000100020326 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ab0154 5 bytes JMP 0000000100020128 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ab0264 5 bytes JMP 00000001000201b0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ab083c 5 bytes JMP 0000000100020964 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ab08b4 5 bytes JMP 0000000100020348 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ab0944 5 bytes JMP 0000000100020304 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ab0e94 5 bytes JMP 0000000100020722 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000077ab1160 5 bytes JMP 00000001000208dc .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ab16a4 5 bytes JMP 00000001000205f0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ab19c0 5 bytes JMP 00000001000203d0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ab1c84 5 bytes JMP 0000000100020744 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077ab1df4 5 bytes JMP 000000010002047a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ab1e10 5 bytes JMP 0000000100020458 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ab1e2c 5 bytes JMP 00000001000209ec .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ab1f88 5 bytes JMP 0000000100020942 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077ac2a64 5 bytes JMP 00000001000200c2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077ac8fe1 5 bytes JMP 0000000100020920 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!RtlSetEnvironmentVariable 0000000077ad59a0 5 bytes JMP 0000000100020832 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077af10bb 5 bytes JMP 000000010002016c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b39577 5 bytes JMP 0000000100020612 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b3f80f 5 bytes JMP 000000010002014a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 00000001000200e4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 00000001000202c0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007686499f 5 bytes JMP 0000000100020238 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873bbb 5 bytes JMP 000000010002038c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879abc 5 bytes JMP 00000001000207ee .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879b1d 5 bytes JMP 00000001000207aa .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 000000007688733f 5 bytes JMP 000000010002025a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!UnhandledExceptionFilter 000000007688770f 5 bytes JMP 00000001015b07d0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888f2 5 bytes JMP 00000001000206de .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccc1 5 bytes JMP 0000000100020788 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688cce1 5 bytes JMP 00000001000207cc .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e31a9 5 bytes JMP 000000010002029e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076907603 5 bytes JMP 0000000100020568 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076907626 5 bytes JMP 000000010002058a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769079d1 5 bytes JMP 00000001000205ac .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907a4a 5 bytes JMP 00000001000205ce .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075688f85 5 bytes JMP 00000001000200a0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007568c538 5 bytes JMP 0000000100020546 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007568edb9 5 bytes JMP 00000001000204e0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007568f319 5 bytes JMP 00000001000201d2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007568fb9c 5 bytes JMP 0000000100020106 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007568fcca 5 bytes JMP 0000000100020766 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 000000007569146c 5 bytes JMP 0000000100020524 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075691493 5 bytes JMP 0000000100020502 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075691e3d 5 bytes JMP 000000010002007e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000075691f29 5 bytes JMP 0000000100020216 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075692bcd 5 bytes JMP 000000010002069a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000075692e41 5 bytes JMP 0000000100020678 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075692e7f 5 bytes JMP 00000001000206bc .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000075692fe2 5 bytes JMP 000000010002005c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007569396b 5 bytes JMP 000000010002049c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000075693cd8 5 bytes JMP 000000010002018e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000756945fe 5 bytes JMP 00000001000201f4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000075694770 5 bytes JMP 00000001000204be .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000075694799 5 bytes JMP 00000001000202e2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 000000007569a37a 5 bytes JMP 0000000100020876 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!FindClose 000000007569a589 5 bytes JMP 0000000100020898 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 000000007569a663 5 bytes JMP 0000000100020854 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007569c8a8 5 bytes JMP 000000010002027c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 000000007569e414 5 bytes JMP 00000001000208ba .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007547a472 5 bytes JMP 0000000100020a0e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000754827ce 5 bytes JMP 0000000100020afc .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007548e6cf 5 bytes JMP 0000000100020ada .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076977004 5 bytes JMP 000000010002113a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769778f2 5 bytes JMP 0000000100020eb4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076977be3 5 bytes JMP 0000000100020e92 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076978a39 5 bytes JMP 0000000100020f5e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!FindWindowW 000000007697990d 5 bytes JMP 00000001000210d4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007697b6fd 5 bytes JMP 0000000100020a30 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!GetWindowLongA 000000007697d166 5 bytes JMP 0000000100021118 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007697d23e 5 bytes JMP 0000000100020f80 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007697ee19 5 bytes JMP 0000000100020e70 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007697fff6 5 bytes JMP 0000000100021090 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000769800e9 5 bytes JMP 00000001000210b2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769805ca 5 bytes JMP 0000000100020ef8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076980e0b 5 bytes JMP 0000000100020fa2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769812b5 5 bytes JMP 00000001000211c2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000769820fc 5 bytes JMP 000000010002106e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076983bba 5 bytes JMP 00000001000211a0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076985f84 5 bytes JMP 0000000100020ed6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076986295 5 bytes JMP 0000000100020f1a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076987613 5 bytes JMP 0000000100020e4e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076987678 5 bytes JMP 000000010002117e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076987afe 5 bytes JMP 000000010002104c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007698836c 5 bytes JMP 0000000100020e2c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007699ce64 5 bytes JMP 0000000100020fe6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007699f54b 5 bytes JMP 0000000100020f3c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007699f5a8 5 bytes JMP 00000001000210f6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000769a10c0 1 byte JMP 0000000100020fc4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW + 2 00000000769a10c2 3 bytes {JMP 0xffffffff8967ff04} .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000769cfd9e 5 bytes JMP 0000000100021008 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000769cfdc2 5 bytes JMP 000000010002102a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769d6e25 5 bytes JMP 000000010002115c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 000000007646633b 5 bytes JMP 0000000100020a52 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000076488685 5 bytes JMP 0000000100020b1e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000764886a4 5 bytes JMP 0000000100020b40 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000764940e0 5 bytes JMP 0000000100020b62 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076fc8e91 5 bytes JMP 0000000100020d3e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076fc9181 5 bytes JMP 0000000100020cfa .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076fc918e 5 bytes JMP 0000000100020da4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000076fcc4da 5 bytes JMP 0000000100020e0a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076fcc9f4 5 bytes JMP 0000000100020ba6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000076fcdebc 5 bytes JMP 0000000100020d1c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000076fcdede 5 bytes JMP 0000000100020de8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000076fcdef6 5 bytes JMP 0000000100020d82 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000076fcdf26 5 bytes JMP 0000000100020dc6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076fd2b58 5 bytes JMP 0000000100020b84 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076fd3604 5 bytes JMP 0000000100020c94 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076fd4959 5 bytes JMP 0000000100020a74 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076fe7154 5 bytes JMP 0000000100020cd8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076fe716c 5 bytes JMP 0000000100020c0c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076fe7184 5 bytes JMP 0000000100020c2e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000076fe77cb 5 bytes JMP 0000000100020d60 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 000000007700338c 5 bytes JMP 0000000100020c50 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 000000007700339c 5 bytes JMP 0000000100020c72 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000770033ac 5 bytes JMP 0000000100020bc8 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000770033bc 5 bytes JMP 0000000100020bea .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000770033fc 5 bytes JMP 0000000100020cb6 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000758201a9 5 bytes JMP 00000001000211e4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7688b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7688b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 76909011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 768648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 7690890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 76908ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 76908800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 76908bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7687fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076de1555 2 bytes JMP 76886907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 769090c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 76908c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 769087c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7687fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7688b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 76908f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 76908759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076713918 5 bytes JMP 000000010002137c .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076713cd3 5 bytes JMP 000000010002135a .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!socket 0000000076713eb8 5 bytes JMP 000000010002139e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076714406 5 bytes JMP 00000001000212b0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076714889 5 bytes JMP 00000001000212f4 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!recv 0000000076716b0e 5 bytes JMP 00000001000213e2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!connect 0000000076716bdd 5 bytes JMP 00000001000212d2 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!send 0000000076716f01 5 bytes JMP 000000010002128e .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076717089 5 bytes JMP 0000000100021404 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007671cc3f 5 bytes JMP 00000001000213c0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007671d1ea 5 bytes JMP 0000000100021316 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2612] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076727673 5 bytes JMP 0000000100021338 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 7C, 22, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, 62, 1E, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 50, 21, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778fd7c0 5 bytes [48, B8, 48, 1A, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00000000778fd7c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, 12, 23, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, E6, 21, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 3E, 24, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, BA, 20, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, CC, 1D, 02] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, A8, 23, 02, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778fec80 6 bytes [48, B8, 24, 20, 02, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000778fec88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, DE, 1A, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, 8E, 1F, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 6A, 25, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 96, 26, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 2C, 27, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, C2, 27, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, E2, 43, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, F4, 40, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, A4, 45, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 8A, 41, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, 4C, 43, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 78, 44, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, 0E, 45, 02, 00] .text ... * 2 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, 00, 26, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 5E, 40, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, B6, 42, 02, 00, 00, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, C8, 3F, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 9C, 3E, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, 06, 3E, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, DA, 3C, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, 18, 3B, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, 32, 3F, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 82, 3A, 02, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 70, 3D, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, AE, 3B, 02, 00, 00, 00, ...] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2644] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 44, 3C, 02, 00, 00, 00, ...] .text C:\Program Files\Bitdefender\Bitdefender 2016\updatesrv.exe[2696] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007782b891 11 bytes [B8, F0, 12, B0, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, 8E, 1F, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, F6, 2F, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 08, 2D, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, B8, 31, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 9E, 2D, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, 60, 2F, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 8C, 30, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, 22, 31, 02, 00] .text ... * 2 .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 2 bytes [B8, D4] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 52 000007fefe914d54 8 bytes [02, 00, 00, 00, 00, 00, 50, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 72, 2C, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, CA, 2E, 02, 00, 00, 00] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 2 bytes [48, B8] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 3 000007fefe92b8bf 9 bytes [2B, 02, 00, 00, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, B0, 2A, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, 1A, 2A, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, EE, 28, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, 2C, 27, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, 46, 2B, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 96, 26, 02, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 84, 29, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, C2, 27, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 58, 28, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 00, 26, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 4E, 32, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, E4, 32, 02, 00, 00, 00, ...] .text C:\Windows\System32\WUDFHost.exe[3016] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 7A, 33, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, DE, 1A, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 74, 1B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, 96, 26, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, D4, 24, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, EE, 28, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 3E, 24, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 2C, 27, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, 6A, 25, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 00, 26, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 9E, 2D, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, B0, 2A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, 60, 2F, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 46, 2B, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, 08, 2D, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 34, 2E, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, CA, 2E, 02, 00] .text ... * 2 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, A8, 23, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 1A, 2A, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, 72, 2C, 02, 00, 00, 00] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, 84, 29, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 58, 28, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, C2, 27, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, F6, 2F, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 20, 42, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, B6, 42, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 4C, 43, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefe8a13b1 11 bytes [B8, 92, 48, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe8a18e0 12 bytes [48, B8, FC, 47, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefe8a1bd1 11 bytes [B8, 66, 47, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefe8a2201 11 bytes [B8, EA, 4A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe8a23c0 12 bytes [48, B8, 0E, 45, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!connect 000007fefe8a45c0 12 bytes [48, B8, 78, 44, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!send + 1 000007fefe8a8001 11 bytes [B8, D0, 46, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe8a8df0 7 bytes [48, B8, 3A, 46, 02, 00, 00] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefe8a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe8ac090 12 bytes [48, B8, A4, 45, 02, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefe8ade91 11 bytes [B8, 28, 49, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefe8adf41 11 bytes [B8, 54, 4A, 02, 00, 00, 00, ...] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefe8ce0f1 11 bytes [B8, BE, 49, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 7C, 22, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, 62, 1E, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 50, 21, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778fd7c0 5 bytes [48, B8, 48, 1A, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00000000778fd7c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, 12, 23, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, E6, 21, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 3E, 24, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, BA, 20, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, CC, 1D, 02] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, A8, 23, 02, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778fec80 6 bytes [48, B8, 24, 20, 02, 00] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000778fec88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, DE, 1A, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 02, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, EE, 28, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, 2C, 27, 02, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, 46, 2B, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 96, 26, 02, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 84, 29, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, C2, 27, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 58, 28, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 00, 26, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 4E, 32, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, E4, 32, 02, 00, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3120] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 7A, 33, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 7C, 22, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, 62, 1E, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 50, 21, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778fd7c0 5 bytes [48, B8, 48, 1A, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00000000778fd7c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, 12, 23, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, E6, 21, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 3E, 24, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, BA, 20, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, CC, 1D, 02] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, A8, 23, 02, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778fec80 6 bytes [48, B8, 24, 20, 02, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000778fec88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, DE, 1A, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, 8E, 1F, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, D4, 24, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 2A, 38, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, C0, 38, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 56, 39, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, DA, 3C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, 18, 3B, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, 32, 3F, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 82, 3A, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 70, 3D, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, AE, 3B, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 44, 3C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, E2, 43, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, F4, 40, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, A4, 45, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 8A, 41, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, 4C, 43, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 78, 44, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, 0E, 45, 02, 00] .text ... * 2 .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, EC, 39, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 5E, 40, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, B6, 42, 02, 00, 00, 00] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, C8, 3F, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 9C, 3E, 02, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3700] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, 06, 3E, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 7C, 22, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, 62, 1E, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 50, 21, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778fd7c0 5 bytes [48, B8, 48, 1A, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00000000778fd7c8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, 12, 23, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, E6, 21, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 3E, 24, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, BA, 20, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, CC, 1D, 02] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, A8, 23, 02, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778fec80 6 bytes [48, B8, 24, 20, 02, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000778fec88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, DE, 1A, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, 8E, 1F, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 6A, 25, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 00, 26, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 96, 26, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 2C, 27, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, DA, 3C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, 18, 3B, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, 32, 3F, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 82, 3A, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 70, 3D, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, AE, 3B, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 44, 3C, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, E2, 43, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, F4, 40, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, A4, 45, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 8A, 41, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, 4C, 43, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 78, 44, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, 0E, 45, 02, 00] .text ... * 2 .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, EC, 39, 02, 00, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 5E, 40, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, B6, 42, 02, 00, 00, 00] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, C8, 3F, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 9C, 3E, 02, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[3744] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, 06, 3E, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, 2E, 16, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, A2, 0B, 02, 00, 00, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, CE, 0C, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 38, 0C, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 86, 18, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778fd7c0 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00000000778fd7c8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, 1C, 19, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 48, 1A, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, F0, 17, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 64, 0D, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, 02, 15, 02] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, FA, 0D, 02, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, B2, 19, 02, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778fec80 6 bytes [48, B8, 5A, 17, 02, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000778fec88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, BC, 0F, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, C4, 16, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 52, 10, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, 26, 0F, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 14, 12, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, AA, 12, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 40, 13, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 00, 26, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 12, 23, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, C2, 27, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, A8, 23, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, 6A, 25, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 96, 26, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, 2C, 27, 02, 00] .text ... * 2 .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, DE, 1A, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 7C, 22, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, D4, 24, 02, 00, 00, 00] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, E6, 21, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, BA, 20, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, 24, 20, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, 36, 1D, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, 50, 21, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, A0, 1C, 02, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 8E, 1F, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, CC, 1D, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 62, 1E, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 74, 1B, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, E4, 32, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 7A, 33, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 10, 34, 02, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[2156] C:\Windows\system32\WS2_32.dll!connect 000007fefe8a45c0 12 bytes [48, B8, 3C, 35, 02, 00, 00, ...] .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077aaf9c8 5 bytes JMP 00000001000209a8 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aafa80 5 bytes JMP 0000000100020700 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077aafbc8 5 bytes JMP 0000000100020656 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000077aafc48 5 bytes JMP 00000001000208fe .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077aafcc0 5 bytes JMP 00000001000203f2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077aafcf0 5 bytes JMP 0000000100020018 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077aafd20 5 bytes JMP 000000010002003a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077aafd50 5 bytes JMP 0000000100020634 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077aafe68 5 bytes JMP 0000000100020986 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077aafeb4 5 bytes JMP 00000001000203ae .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077aafee4 5 bytes JMP 0000000100020436 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077aaff60 5 bytes JMP 0000000100020810 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077aaffc4 5 bytes JMP 0000000100020414 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077ab0044 5 bytes JMP 00000001000209ca .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077ab008c 5 bytes JMP 000000010002036a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ab00a4 5 bytes JMP 0000000100020326 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ab0154 5 bytes JMP 0000000100020128 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ab0264 5 bytes JMP 00000001000201b0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ab083c 5 bytes JMP 0000000100020964 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ab08b4 5 bytes JMP 0000000100020348 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ab0944 5 bytes JMP 0000000100020304 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ab0e94 5 bytes JMP 0000000100020722 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000077ab1160 5 bytes JMP 00000001000208dc .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ab16a4 5 bytes JMP 00000001000205f0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ab19c0 5 bytes JMP 00000001000203d0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ab1c84 5 bytes JMP 0000000100020744 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077ab1df4 5 bytes JMP 000000010002047a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ab1e10 5 bytes JMP 0000000100020458 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ab1e2c 5 bytes JMP 00000001000209ec .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ab1f88 5 bytes JMP 0000000100020942 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077ac2a64 5 bytes JMP 00000001000200c2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077ac8fe1 5 bytes JMP 0000000100020920 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlSetEnvironmentVariable 0000000077ad59a0 5 bytes JMP 0000000100020832 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077af10bb 5 bytes JMP 000000010002016c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b39577 5 bytes JMP 0000000100020612 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b3f80f 5 bytes JMP 000000010002014a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 00000001000200e4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 00000001000202c0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007686499f 5 bytes JMP 0000000100020238 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873bbb 5 bytes JMP 000000010002038c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879abc 5 bytes JMP 00000001000207ee .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879b1d 5 bytes JMP 00000001000207aa .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 000000007688733f 5 bytes JMP 000000010002025a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888f2 5 bytes JMP 00000001000206de .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccc1 5 bytes JMP 0000000100020788 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688cce1 5 bytes JMP 00000001000207cc .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e31a9 5 bytes JMP 000000010002029e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076907603 5 bytes JMP 0000000100020568 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076907626 5 bytes JMP 000000010002058a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769079d1 5 bytes JMP 00000001000205ac .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907a4a 5 bytes JMP 00000001000205ce .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075688f85 5 bytes JMP 00000001000200a0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007568c538 5 bytes JMP 0000000100020546 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007568edb9 5 bytes JMP 00000001000204e0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007568f319 5 bytes JMP 00000001000201d2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007568fb9c 5 bytes JMP 0000000100020106 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007568fcca 5 bytes JMP 0000000100020766 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 000000007569146c 5 bytes JMP 0000000100020524 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075691493 5 bytes JMP 0000000100020502 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075691e3d 5 bytes JMP 000000010002007e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000075691f29 5 bytes JMP 0000000100020216 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075692bcd 5 bytes JMP 000000010002069a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000075692e41 5 bytes JMP 0000000100020678 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075692e7f 5 bytes JMP 00000001000206bc .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000075692fe2 5 bytes JMP 000000010002005c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007569396b 5 bytes JMP 000000010002049c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000075693cd8 5 bytes JMP 000000010002018e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000756945fe 5 bytes JMP 00000001000201f4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000075694770 5 bytes JMP 00000001000204be .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000075694799 5 bytes JMP 00000001000202e2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 000000007569a37a 5 bytes JMP 0000000100020876 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!FindClose 000000007569a589 5 bytes JMP 0000000100020898 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 000000007569a663 5 bytes JMP 0000000100020854 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007569c8a8 5 bytes JMP 000000010002027c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 000000007569e414 5 bytes JMP 00000001000208ba .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007547a472 5 bytes JMP 0000000100020a0e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000754827ce 5 bytes JMP 0000000100020afc .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007548e6cf 5 bytes JMP 0000000100020ada .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 000000007646633b 5 bytes JMP 0000000100020a30 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000076488685 5 bytes JMP 000000010002117e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000764886a4 5 bytes JMP 00000001000211a0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000764940e0 5 bytes JMP 00000001000211c2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076977004 5 bytes JMP 00000001000210d4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769778f2 5 bytes JMP 0000000100020e4e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076977be3 5 bytes JMP 0000000100020e2c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076978a39 5 bytes JMP 0000000100020ef8 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!FindWindowW 000000007697990d 5 bytes JMP 000000010002106e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007697b6fd 5 bytes JMP 0000000100020a52 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!GetWindowLongA 000000007697d166 5 bytes JMP 00000001000210b2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007697d23e 5 bytes JMP 0000000100020f1a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007697ee19 5 bytes JMP 0000000100020e0a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007697fff6 5 bytes JMP 000000010002102a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000769800e9 5 bytes JMP 000000010002104c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769805ca 5 bytes JMP 0000000100020e92 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076980e0b 5 bytes JMP 0000000100020f3c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769812b5 5 bytes JMP 000000010002115c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000769820fc 5 bytes JMP 0000000100021008 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076983bba 5 bytes JMP 000000010002113a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076985f84 5 bytes JMP 0000000100020e70 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076986295 5 bytes JMP 0000000100020eb4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076987613 5 bytes JMP 0000000100020de8 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076987678 5 bytes JMP 0000000100021118 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076987afe 5 bytes JMP 0000000100020fe6 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007698836c 5 bytes JMP 0000000100020dc6 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007699ce64 5 bytes JMP 0000000100020f80 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007699f54b 5 bytes JMP 0000000100020ed6 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007699f5a8 5 bytes JMP 0000000100021090 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000769a10c0 5 bytes JMP 0000000100020f5e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000769cfd9e 1 byte JMP 0000000100020fa2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 2 00000000769cfda0 3 bytes {CALL QWORD [RCX]} .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000769cfdc2 5 bytes JMP 0000000100020fc4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769d6e25 5 bytes JMP 00000001000210f6 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076fc8e91 5 bytes JMP 0000000100020cd8 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076fc9181 5 bytes JMP 0000000100020c94 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076fc918e 5 bytes JMP 0000000100020d3e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000076fcc4da 5 bytes JMP 0000000100020da4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076fcc9f4 5 bytes JMP 0000000100020b40 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000076fcdebc 5 bytes JMP 0000000100020cb6 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000076fcdede 5 bytes JMP 0000000100020d82 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000076fcdef6 5 bytes JMP 0000000100020d1c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000076fcdf26 5 bytes JMP 0000000100020d60 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076fd2b58 5 bytes JMP 0000000100020b1e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076fd3604 5 bytes JMP 0000000100020c2e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076fd4959 5 bytes JMP 0000000100020a74 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076fe7154 5 bytes JMP 0000000100020c72 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076fe716c 5 bytes JMP 0000000100020ba6 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076fe7184 5 bytes JMP 0000000100020bc8 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000076fe77cb 5 bytes JMP 0000000100020cfa .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 000000007700338c 5 bytes JMP 0000000100020bea .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 000000007700339c 5 bytes JMP 0000000100020c0c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000770033ac 5 bytes JMP 0000000100020b62 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000770033bc 5 bytes JMP 0000000100020b84 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000770033fc 5 bytes JMP 0000000100020c50 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076713918 5 bytes JMP 00000001000212d2 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076713cd3 5 bytes JMP 00000001000212b0 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!socket 0000000076713eb8 5 bytes JMP 00000001000212f4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076714406 5 bytes JMP 0000000100021206 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076714889 5 bytes JMP 000000010002124a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!recv 0000000076716b0e 5 bytes JMP 0000000100021338 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!connect 0000000076716bdd 5 bytes JMP 0000000100021228 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!send 0000000076716f01 5 bytes JMP 00000001000211e4 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076717089 5 bytes JMP 000000010002135a .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007671cc3f 5 bytes JMP 0000000100021316 .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007671d1ea 5 bytes JMP 000000010002126c .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076727673 5 bytes JMP 000000010002128e .text D:\Programy\Advanced SystemCare Ultimate\Monitor.exe[2568] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000758201a9 5 bytes JMP 000000010002137c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 7C, 22, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, 62, 1E, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 50, 21, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778fd7c0 5 bytes [48, B8, 48, 1A, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00000000778fd7c8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, 12, 23, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, E6, 21, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 3E, 24, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, BA, 20, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, CC, 1D, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, A8, 23, 02, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778fec80 6 bytes [48, B8, 24, 20, 02, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000778fec88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, DE, 1A, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, 8E, 1F, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 8C, 30, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 9E, 2D, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, 4E, 32, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 34, 2E, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, F6, 2F, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 22, 31, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, B8, 31, 02, 00] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 2 bytes [B8, D4] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 52 000007fefe914d54 8 bytes [02, 00, 00, 00, 00, 00, 50, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 08, 2D, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, 60, 2F, 02, 00, 00, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, 72, 2C, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 46, 2B, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, B0, 2A, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, 84, 29, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, C2, 27, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, DC, 2B, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 2C, 27, 02, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 1A, 2A, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, 58, 28, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, EE, 28, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 6A, 25, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 0E, 45, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, A4, 45, 02, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4048] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 3A, 46, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 00000000778d8141 11 bytes [B8, 62, 1E, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000778e6061 7 bytes [B8, 64, 0D, 02, 00, 00, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 00000000778e606a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000778fd430 5 bytes [48, B8, 50, 21, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000778fd438 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778fd4a0 5 bytes [48, B8, 98, 15, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000778fd4a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778fd570 5 bytes [48, B8, 14, 12, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000778fd578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 00000000778fd5c0 5 bytes [48, B8, CC, 1D, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 00000000778fd5c8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778fd610 5 bytes [48, B8, 5C, 06, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000778fd618 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000778fd630 5 bytes [48, B8, 80, 00, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000778fd638 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778fd650 5 bytes [48, B8, 16, 01, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000778fd658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778fd670 5 bytes [48, B8, 7E, 11, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000778fd678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778fd720 5 bytes [48, B8, 24, 20, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000778fd728 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778fd750 5 bytes [48, B8, 30, 05, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000778fd758 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778fd770 5 bytes [48, B8, 88, 07, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000778fd778 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778fd800 5 bytes [48, B8, F2, 06, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000778fd808 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778fd850 5 bytes [48, B8, E6, 21, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000778fd858 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000778fd880 5 bytes [48, B8, 04, 04, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000778fd888 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778fd890 5 bytes [48, B8, D8, 02, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000778fd898 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778fd900 5 bytes [48, B8, BA, 20, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000778fd908 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778fd9b0 5 bytes [48, B8, 12, 23, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778fd9b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778fdd80 5 bytes [48, B8, 8E, 1F, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000778fdd88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000778fddd0 5 bytes [48, B8, 6E, 03, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000778fddd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778fde30 5 bytes [48, B8, 42, 02, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000778fde38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778fe1a0 5 bytes [48, B8, 2E, 16, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000778fe1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000778fe370 5 bytes [48, B8, 36, 1D, 02] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000778fe378 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000778fe6e0 6 bytes [48, B8, 52, 10, 02, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000778fe6e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778fe8e0 6 bytes [48, B8, C6, 05, 02, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000778fe8e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778feaa0 6 bytes [48, B8, C4, 16, 02, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000778feaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778feb80 6 bytes [48, B8, 4A, 09, 02, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000778feb88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778feb90 6 bytes [48, B8, B4, 08, 02, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000778feb98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778feba0 6 bytes [48, B8, 7C, 22, 02, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000778feba8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007796fba1 11 bytes [B8, E8, 10, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 0000000077994131 11 bytes [B8, 48, 1A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, F8, 1E, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, 0A, 1C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, DE, 1A, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 74, 1B, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, A0, 1C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, 20, 42, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, 5E, 40, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, 78, 44, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, C8, 3F, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, B6, 42, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, F4, 40, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, 8A, 41, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefe8a13b1 11 bytes [B8, 58, 28, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe8a18e0 12 bytes [48, B8, C2, 27, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefe8a1bd1 11 bytes [B8, 2C, 27, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefe8a2201 11 bytes [B8, B0, 2A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe8a23c0 12 bytes [48, B8, D4, 24, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!connect 000007fefe8a45c0 12 bytes [48, B8, 3E, 24, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!send + 1 000007fefe8a8001 11 bytes [B8, 96, 26, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe8a8df0 7 bytes [48, B8, 00, 26, 02, 00, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefe8a8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe8ac090 12 bytes [48, B8, 6A, 25, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefe8ade91 11 bytes [B8, EE, 28, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefe8adf41 11 bytes [B8, 1A, 2A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefe8ce0f1 11 bytes [B8, 84, 29, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, DC, 2B, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 72, 2C, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 08, 2D, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 9E, 2D, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 28, 49, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 3A, 46, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, EA, 4A, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, D0, 46, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, 92, 48, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, BE, 49, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, 54, 4A, 02, 00] .text ... * 2 .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 11 bytes [B8, 32, 3F, 02, 00, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, A4, 45, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, FC, 47, 02, 00, 00, 00] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, 0E, 45, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, E2, 43, 02, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1920] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, 4C, 43, 02, 00, 00, ...] .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077aaf9c8 5 bytes JMP 00000001000209a8 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aafa80 5 bytes JMP 0000000100020700 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077aafbc8 5 bytes JMP 0000000100020656 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000077aafc48 5 bytes JMP 00000001000208fe .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077aafcc0 5 bytes JMP 00000001000203f2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077aafcf0 5 bytes JMP 0000000100020018 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077aafd20 5 bytes JMP 000000010002003a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077aafd50 5 bytes JMP 0000000100020634 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077aafe68 5 bytes JMP 0000000100020986 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077aafeb4 5 bytes JMP 00000001000203ae .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077aafee4 5 bytes JMP 0000000100020436 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077aaff60 5 bytes JMP 0000000100020810 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077aaffc4 5 bytes JMP 0000000100020414 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077ab0044 5 bytes JMP 00000001000209ca .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077ab008c 5 bytes JMP 000000010002036a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ab00a4 5 bytes JMP 0000000100020326 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ab0154 5 bytes JMP 0000000100020128 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ab0264 5 bytes JMP 00000001000201b0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ab083c 5 bytes JMP 0000000100020964 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ab08b4 5 bytes JMP 0000000100020348 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ab0944 5 bytes JMP 0000000100020304 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ab0e94 5 bytes JMP 0000000100020722 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000077ab1160 5 bytes JMP 00000001000208dc .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ab16a4 5 bytes JMP 00000001000205f0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ab19c0 5 bytes JMP 00000001000203d0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ab1c84 5 bytes JMP 0000000100020744 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077ab1df4 5 bytes JMP 000000010002047a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ab1e10 5 bytes JMP 0000000100020458 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ab1e2c 5 bytes JMP 00000001000209ec .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ab1f88 5 bytes JMP 0000000100020942 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077ac2a64 5 bytes JMP 00000001000200c2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077ac8fe1 5 bytes JMP 0000000100020920 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlSetEnvironmentVariable 0000000077ad59a0 5 bytes JMP 0000000100020832 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077af10bb 5 bytes JMP 000000010002016c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b39577 5 bytes JMP 0000000100020612 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b3f80f 5 bytes JMP 000000010002014a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 00000001000200e4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 00000001000202c0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007686499f 5 bytes JMP 0000000100020238 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873bbb 5 bytes JMP 000000010002038c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879abc 5 bytes JMP 00000001000207ee .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879b1d 5 bytes JMP 00000001000207aa .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 000000007688733f 5 bytes JMP 000000010002025a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888f2 5 bytes JMP 00000001000206de .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccc1 5 bytes JMP 0000000100020788 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688cce1 5 bytes JMP 00000001000207cc .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e31a9 5 bytes JMP 000000010002029e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076907603 5 bytes JMP 0000000100020568 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076907626 5 bytes JMP 000000010002058a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769079d1 5 bytes JMP 00000001000205ac .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907a4a 5 bytes JMP 00000001000205ce .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075688f85 5 bytes JMP 00000001000200a0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007568c538 5 bytes JMP 0000000100020546 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007568edb9 5 bytes JMP 00000001000204e0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007568f319 5 bytes JMP 00000001000201d2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007568fb9c 5 bytes JMP 0000000100020106 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007568fcca 5 bytes JMP 0000000100020766 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 000000007569146c 5 bytes JMP 0000000100020524 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075691493 5 bytes JMP 0000000100020502 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075691e3d 5 bytes JMP 000000010002007e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000075691f29 5 bytes JMP 0000000100020216 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075692bcd 5 bytes JMP 000000010002069a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000075692e41 5 bytes JMP 0000000100020678 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075692e7f 5 bytes JMP 00000001000206bc .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000075692fe2 5 bytes JMP 000000010002005c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007569396b 5 bytes JMP 000000010002049c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000075693cd8 5 bytes JMP 000000010002018e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000756945fe 5 bytes JMP 00000001000201f4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000075694770 5 bytes JMP 00000001000204be .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000075694799 5 bytes JMP 00000001000202e2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 000000007569a37a 5 bytes JMP 0000000100020876 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FindClose 000000007569a589 5 bytes JMP 0000000100020898 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 000000007569a663 5 bytes JMP 0000000100020854 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007569c8a8 5 bytes JMP 000000010002027c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 000000007569e414 5 bytes JMP 00000001000208ba .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007547a472 5 bytes JMP 0000000100020a0e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000754827ce 5 bytes JMP 0000000100020afc .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007548e6cf 5 bytes JMP 0000000100020ada .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 000000007646633b 5 bytes JMP 0000000100020a30 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000076488685 5 bytes JMP 000000010002117e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000764886a4 5 bytes JMP 00000001000211a0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000764940e0 5 bytes JMP 00000001000211c2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076977004 5 bytes JMP 00000001000210d4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769778f2 5 bytes JMP 0000000100020e4e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076977be3 5 bytes JMP 0000000100020e2c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076978a39 5 bytes JMP 0000000100020ef8 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowW 000000007697990d 5 bytes JMP 000000010002106e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007697b6fd 5 bytes JMP 0000000100020a52 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!GetWindowLongA 000000007697d166 5 bytes JMP 00000001000210b2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007697d23e 5 bytes JMP 0000000100020f1a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007697ee19 5 bytes JMP 0000000100020e0a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007697fff6 5 bytes JMP 000000010002102a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000769800e9 5 bytes JMP 000000010002104c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769805ca 5 bytes JMP 0000000100020e92 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076980e0b 5 bytes JMP 0000000100020f3c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769812b5 5 bytes JMP 000000010002115c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000769820fc 5 bytes JMP 0000000100021008 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076983bba 5 bytes JMP 000000010002113a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076985f84 5 bytes JMP 0000000100020e70 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076986295 5 bytes JMP 0000000100020eb4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076987613 5 bytes JMP 0000000100020de8 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076987678 5 bytes JMP 0000000100021118 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076987afe 5 bytes JMP 0000000100020fe6 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007698836c 5 bytes JMP 0000000100020dc6 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007699ce64 5 bytes JMP 0000000100020f80 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007699f54b 5 bytes JMP 0000000100020ed6 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007699f5a8 5 bytes JMP 0000000100021090 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000769a10c0 5 bytes JMP 0000000100020f5e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000769cfd9e 1 byte JMP 0000000100020fa2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 2 00000000769cfda0 3 bytes {CALL QWORD [RCX]} .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000769cfdc2 5 bytes JMP 0000000100020fc4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769d6e25 5 bytes JMP 00000001000210f6 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076fc8e91 5 bytes JMP 0000000100020cd8 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076fc9181 5 bytes JMP 0000000100020c94 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076fc918e 5 bytes JMP 0000000100020d3e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000076fcc4da 5 bytes JMP 0000000100020da4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076fcc9f4 5 bytes JMP 0000000100020b40 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000076fcdebc 5 bytes JMP 0000000100020cb6 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000076fcdede 5 bytes JMP 0000000100020d82 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000076fcdef6 5 bytes JMP 0000000100020d1c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000076fcdf26 5 bytes JMP 0000000100020d60 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076fd2b58 5 bytes JMP 0000000100020b1e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076fd3604 5 bytes JMP 0000000100020c2e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076fd4959 5 bytes JMP 0000000100020a74 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076fe7154 5 bytes JMP 0000000100020c72 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076fe716c 5 bytes JMP 0000000100020ba6 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076fe7184 5 bytes JMP 0000000100020bc8 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000076fe77cb 5 bytes JMP 0000000100020cfa .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 000000007700338c 5 bytes JMP 0000000100020bea .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 000000007700339c 5 bytes JMP 0000000100020c0c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000770033ac 5 bytes JMP 0000000100020b62 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000770033bc 5 bytes JMP 0000000100020b84 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000770033fc 5 bytes JMP 0000000100020c50 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076713918 5 bytes JMP 00000001000212d2 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076713cd3 5 bytes JMP 00000001000212b0 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!socket 0000000076713eb8 5 bytes JMP 00000001000212f4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076714406 5 bytes JMP 0000000100021206 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076714889 5 bytes JMP 000000010002124a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!recv 0000000076716b0e 5 bytes JMP 0000000100021338 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!connect 0000000076716bdd 5 bytes JMP 0000000100021228 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!send 0000000076716f01 5 bytes JMP 00000001000211e4 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076717089 5 bytes JMP 000000010002135a .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007671cc3f 5 bytes JMP 0000000100021316 .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007671d1ea 5 bytes JMP 000000010002126c .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076727673 5 bytes JMP 000000010002128e .text D:\Programy\Advanced SystemCare Ultimate\ASCTray.exe[1936] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000758201a9 5 bytes JMP 000000010002137c .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, 8E, 1F, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 25, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 6A, 25, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, 00, 26, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 96, 26, 25, 00, 00, 00, ...] .text C:\Windows\system32\cmd.exe[4860] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 2C, 27, 25, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077791b21 11 bytes [B8, 02, 15, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077791c10 12 bytes [48, B8, 1E, 08, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077792b61 8 bytes [B8, 86, 18, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077792b6a 2 bytes [50, C3] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777adb80 12 bytes [48, B8, 9A, 04, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777b0931 11 bytes [B8, 8E, 1F, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000777e53a1 11 bytes [B8, 90, 0E, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000777e53c1 11 bytes [B8, FA, 0D, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000777fa690 12 bytes [48, B8, BC, 0F, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000777fa7a0 12 bytes [48, B8, 26, 0F, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007781f541 11 bytes [B8, B2, 19, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007781f741 11 bytes [B8, 1C, 19, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007781f771 8 bytes [B8, F0, 17, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007781f77a 2 bytes [50, C3] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd901851 11 bytes [B8, CE, 0C, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd902db1 11 bytes [B8, D6, 13, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd9033a1 11 bytes [B8, 6C, 14, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefd904a21 11 bytes [B8, A0, 1C, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefd904ae0 12 bytes [48, B8, 74, 1B, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefd9056d1 11 bytes [B8, 0A, 1C, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd908c20 9 bytes [48, B8, 38, 0C, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefd908c2a 2 bytes [50, C3] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefd908c51 11 bytes [B8, 36, 1D, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd909140 12 bytes [48, B8, 40, 13, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefd90dea1 11 bytes [B8, E0, 09, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd911931 11 bytes [B8, A2, 0B, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd919f11 11 bytes [B8, AA, 12, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd934130 12 bytes [48, B8, 0C, 0B, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd940861 11 bytes [B8, 5A, 17, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd942ca1 8 bytes [B8, AC, 01, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd942caa 2 bytes [50, C3] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd942ce1 11 bytes [B8, 76, 0A, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefe8fae31 11 bytes [B8, 8C, 30, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefe8fae91 11 bytes [B8, 9E, 2D, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefe8fe699 11 bytes [B8, 4E, 32, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefe90043d 11 bytes [B8, 34, 2E, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefe900529 11 bytes [B8, F6, 2F, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefe900561 11 bytes [B8, 22, 31, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefe9005a9 5 bytes [B8, B8, 31, 1D, 00] .text ... * 2 .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefe914d51 2 bytes [B8, D4] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 52 000007fefe914d54 8 bytes [1D, 00, 00, 00, 00, 00, 50, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe915468 12 bytes [48, B8, 08, 2D, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefe92b831 7 bytes [B8, 60, 2F, 1D, 00, 00, 00] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefe92b83a 2 bytes [50, C3] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe92b8bc 12 bytes [48, B8, 72, 2C, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe92ba30 12 bytes [48, B8, 46, 2B, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe92ba9c 12 bytes [48, B8, B0, 2A, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe9f642d 11 bytes [B8, 84, 29, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe9f6484 12 bytes [48, B8, C2, 27, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe9f6519 11 bytes [B8, DC, 2B, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe9f6c34 12 bytes [48, B8, 2C, 27, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe9f7ab5 11 bytes [B8, 1A, 2A, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe9f8b01 11 bytes [B8, 58, 28, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe9f8c39 11 bytes [B8, EE, 28, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe67b031 11 bytes [B8, 00, 26, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe694991 11 bytes [B8, E4, 32, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe6949b1 11 bytes [B8, 7A, 33, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe6a9209 11 bytes [B8, 10, 34, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefe8a13b1 11 bytes [B8, EA, 4A, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe8a18e0 12 bytes [48, B8, 54, 4A, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefe8a1bd1 11 bytes [B8, BE, 49, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefe8a2201 11 bytes [B8, 42, 4D, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe8a23c0 12 bytes [48, B8, 66, 47, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!connect 000007fefe8a45c0 12 bytes [48, B8, D0, 46, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!send + 1 000007fefe8a8001 11 bytes [B8, 28, 49, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe8a8df0 7 bytes [48, B8, 92, 48, 1D, 00, 00] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefe8a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe8ac090 12 bytes [48, B8, FC, 47, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefe8ade91 11 bytes [B8, 80, 4B, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefe8adf41 11 bytes [B8, AC, 4C, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefe8ce0f1 11 bytes [B8, 16, 4C, 1D, 00, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefcc956e0 12 bytes [48, B8, 9A, 4F, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefcca010c 12 bytes [48, B8, 04, 4F, 1D, 00, 00, ...] .text C:\Windows\system32\PING.EXE[5092] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefccbdaa0 12 bytes [48, B8, 6E, 4E, 1D, 00, 00, ...] .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077aaf9c8 5 bytes JMP 00000001000209a8 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aafa80 5 bytes JMP 0000000100020700 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077aafbc8 5 bytes JMP 0000000100020656 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000077aafc48 5 bytes JMP 00000001000208fe .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077aafcc0 5 bytes JMP 00000001000203f2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077aafcf0 5 bytes JMP 0000000100020018 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077aafd20 5 bytes JMP 000000010002003a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077aafd50 5 bytes JMP 0000000100020634 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077aafe68 5 bytes JMP 0000000100020986 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077aafeb4 5 bytes JMP 00000001000203ae .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077aafee4 5 bytes JMP 0000000100020436 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077aaff60 5 bytes JMP 0000000100020810 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077aaffc4 5 bytes JMP 0000000100020414 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077ab0044 5 bytes JMP 00000001000209ca .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077ab008c 5 bytes JMP 000000010002036a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ab00a4 5 bytes JMP 0000000100020326 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ab0154 5 bytes JMP 0000000100020128 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ab0264 5 bytes JMP 00000001000201b0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ab083c 5 bytes JMP 0000000100020964 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ab08b4 5 bytes JMP 0000000100020348 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ab0944 5 bytes JMP 0000000100020304 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ab0e94 5 bytes JMP 0000000100020722 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000077ab1160 5 bytes JMP 00000001000208dc .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ab16a4 5 bytes JMP 00000001000205f0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ab19c0 5 bytes JMP 00000001000203d0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ab1c84 5 bytes JMP 0000000100020744 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077ab1df4 5 bytes JMP 000000010002047a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ab1e10 5 bytes JMP 0000000100020458 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ab1e2c 5 bytes JMP 00000001000209ec .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ab1f88 5 bytes JMP 0000000100020942 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077ac2a64 5 bytes JMP 00000001000200c2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077ac8fe1 5 bytes JMP 0000000100020920 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlSetEnvironmentVariable 0000000077ad59a0 5 bytes JMP 0000000100020832 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077af10bb 5 bytes JMP 000000010002016c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b39577 5 bytes JMP 0000000100020612 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b3f80f 5 bytes JMP 000000010002014a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 00000001000200e4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 00000001000202c0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007686499f 5 bytes JMP 0000000100020238 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873bbb 5 bytes JMP 000000010002038c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879abc 5 bytes JMP 00000001000207ee .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879b1d 5 bytes JMP 00000001000207aa .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 000000007688733f 5 bytes JMP 000000010002025a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888f2 5 bytes JMP 00000001000206de .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccc1 5 bytes JMP 0000000100020788 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688cce1 5 bytes JMP 00000001000207cc .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e31a9 5 bytes JMP 000000010002029e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076907603 5 bytes JMP 0000000100020568 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076907626 5 bytes JMP 000000010002058a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769079d1 5 bytes JMP 00000001000205ac .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907a4a 5 bytes JMP 00000001000205ce .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075688f85 5 bytes JMP 00000001000200a0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007568c538 5 bytes JMP 0000000100020546 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007568edb9 5 bytes JMP 00000001000204e0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007568f319 5 bytes JMP 00000001000201d2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007568fb9c 5 bytes JMP 0000000100020106 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007568fcca 5 bytes JMP 0000000100020766 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 000000007569146c 5 bytes JMP 0000000100020524 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075691493 5 bytes JMP 0000000100020502 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075691e3d 5 bytes JMP 000000010002007e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000075691f29 5 bytes JMP 0000000100020216 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075692bcd 5 bytes JMP 000000010002069a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000075692e41 5 bytes JMP 0000000100020678 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075692e7f 5 bytes JMP 00000001000206bc .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000075692fe2 5 bytes JMP 000000010002005c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007569396b 5 bytes JMP 000000010002049c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000075693cd8 5 bytes JMP 000000010002018e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000756945fe 5 bytes JMP 00000001000201f4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000075694770 5 bytes JMP 00000001000204be .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000075694799 5 bytes JMP 00000001000202e2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 000000007569a37a 5 bytes JMP 0000000100020876 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!FindClose 000000007569a589 5 bytes JMP 0000000100020898 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 000000007569a663 5 bytes JMP 0000000100020854 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007569c8a8 5 bytes JMP 000000010002027c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 000000007569e414 5 bytes JMP 00000001000208ba .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007547a472 5 bytes JMP 0000000100020a0e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000754827ce 5 bytes JMP 0000000100020afc .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007548e6cf 5 bytes JMP 0000000100020ada .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 000000007646633b 5 bytes JMP 0000000100020a30 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000076488685 5 bytes JMP 000000010002117e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000764886a4 5 bytes JMP 00000001000211a0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000764940e0 5 bytes JMP 00000001000211c2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076977004 5 bytes JMP 00000001000210d4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769778f2 5 bytes JMP 0000000100020e4e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076977be3 5 bytes JMP 0000000100020e2c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076978a39 5 bytes JMP 0000000100020ef8 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!FindWindowW 000000007697990d 5 bytes JMP 000000010002106e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007697b6fd 5 bytes JMP 0000000100020a52 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!GetWindowLongA 000000007697d166 5 bytes JMP 00000001000210b2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007697d23e 5 bytes JMP 0000000100020f1a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007697ee19 5 bytes JMP 0000000100020e0a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007697fff6 5 bytes JMP 000000010002102a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000769800e9 5 bytes JMP 000000010002104c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769805ca 5 bytes JMP 0000000100020e92 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076980e0b 5 bytes JMP 0000000100020f3c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769812b5 5 bytes JMP 000000010002115c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000769820fc 5 bytes JMP 0000000100021008 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076983bba 5 bytes JMP 000000010002113a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076985f84 5 bytes JMP 0000000100020e70 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076986295 5 bytes JMP 0000000100020eb4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076987613 5 bytes JMP 0000000100020de8 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076987678 5 bytes JMP 0000000100021118 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076987afe 5 bytes JMP 0000000100020fe6 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007698836c 5 bytes JMP 0000000100020dc6 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007699ce64 5 bytes JMP 0000000100020f80 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007699f54b 5 bytes JMP 0000000100020ed6 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007699f5a8 5 bytes JMP 0000000100021090 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000769a10c0 5 bytes JMP 0000000100020f5e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000769cfd9e 1 byte JMP 0000000100020fa2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 2 00000000769cfda0 3 bytes {CALL QWORD [RCX]} .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000769cfdc2 5 bytes JMP 0000000100020fc4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769d6e25 5 bytes JMP 00000001000210f6 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076fc8e91 5 bytes JMP 0000000100020cd8 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076fc9181 5 bytes JMP 0000000100020c94 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076fc918e 5 bytes JMP 0000000100020d3e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000076fcc4da 5 bytes JMP 0000000100020da4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076fcc9f4 5 bytes JMP 0000000100020b40 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000076fcdebc 5 bytes JMP 0000000100020cb6 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000076fcdede 5 bytes JMP 0000000100020d82 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000076fcdef6 5 bytes JMP 0000000100020d1c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000076fcdf26 5 bytes JMP 0000000100020d60 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076fd2b58 5 bytes JMP 0000000100020b1e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076fd3604 5 bytes JMP 0000000100020c2e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076fd4959 5 bytes JMP 0000000100020a74 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076fe7154 5 bytes JMP 0000000100020c72 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076fe716c 5 bytes JMP 0000000100020ba6 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076fe7184 5 bytes JMP 0000000100020bc8 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000076fe77cb 5 bytes JMP 0000000100020cfa .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 000000007700338c 5 bytes JMP 0000000100020bea .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 000000007700339c 5 bytes JMP 0000000100020c0c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000770033ac 5 bytes JMP 0000000100020b62 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000770033bc 5 bytes JMP 0000000100020b84 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000770033fc 5 bytes JMP 0000000100020c50 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076713918 5 bytes JMP 00000001000212d2 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076713cd3 5 bytes JMP 00000001000212b0 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!socket 0000000076713eb8 5 bytes JMP 00000001000212f4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076714406 5 bytes JMP 0000000100021206 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076714889 5 bytes JMP 000000010002124a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!recv 0000000076716b0e 5 bytes JMP 0000000100021338 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!connect 0000000076716bdd 5 bytes JMP 0000000100021228 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!send 0000000076716f01 5 bytes JMP 00000001000211e4 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076717089 5 bytes JMP 000000010002135a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007671cc3f 5 bytes JMP 0000000100021316 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007671d1ea 5 bytes JMP 000000010002126c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076727673 5 bytes JMP 000000010002128e .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000758201a9 5 bytes JMP 000000010002137c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\urlmon.dll!CreateUri + 128 0000000075532b30 5 bytes JMP 0000000100021426 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToCacheFileW 000000007556f810 5 bytes JMP 000000010002148c .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToFileW 000000007556ffd0 5 bytes JMP 0000000100021448 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\SysWOW64\urlmon.dll!URLDownloadToFileA 00000000755eef00 5 bytes JMP 000000010002146a .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7688b233 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7688b35e C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 76909011 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 768648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 7690890a C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 76908ae0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 76908800 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 76908bca C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7687fcc0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000076de1555 2 bytes JMP 76886907 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 769090c9 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 76908c2a C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 769087c4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7687fd59 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7688b2f4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 76908f8c C:\Windows\syswow64\kernel32.dll .text D:\Programy\IObit Malware Fighter\IMF.exe[3132] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 76908759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2016\bdwtxag.exe[1240] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007782b891 11 bytes [B8, F0, 12, FB, 01, 00, 00, ...] .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077aaf9c8 5 bytes JMP 00000001000209a8 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aafa80 5 bytes JMP 0000000100020700 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077aafbc8 5 bytes JMP 0000000100020656 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000077aafc48 5 bytes JMP 00000001000208fe .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077aafcc0 5 bytes JMP 00000001000203f2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077aafcf0 5 bytes JMP 0000000100020018 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077aafd20 5 bytes JMP 000000010002003a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077aafd50 5 bytes JMP 0000000100020634 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077aafe68 5 bytes JMP 0000000100020986 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077aafeb4 5 bytes JMP 00000001000203ae .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077aafee4 5 bytes JMP 0000000100020436 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077aaff60 5 bytes JMP 0000000100020810 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077aaffc4 5 bytes JMP 0000000100020414 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077ab0044 5 bytes JMP 00000001000209ca .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077ab008c 5 bytes JMP 000000010002036a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ab00a4 5 bytes JMP 0000000100020326 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ab0154 5 bytes JMP 0000000100020128 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ab0264 5 bytes JMP 00000001000201b0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ab083c 5 bytes JMP 0000000100020964 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ab08b4 5 bytes JMP 0000000100020348 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ab0944 5 bytes JMP 0000000100020304 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ab0e94 5 bytes JMP 0000000100020722 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000077ab1160 5 bytes JMP 00000001000208dc .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ab16a4 5 bytes JMP 00000001000205f0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ab19c0 5 bytes JMP 00000001000203d0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ab1c84 5 bytes JMP 0000000100020744 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077ab1df4 5 bytes JMP 000000010002047a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ab1e10 5 bytes JMP 0000000100020458 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ab1e2c 5 bytes JMP 00000001000209ec .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ab1f88 5 bytes JMP 0000000100020942 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077ac2a64 5 bytes JMP 00000001000200c2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077ac8fe1 5 bytes JMP 0000000100020920 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!RtlSetEnvironmentVariable 0000000077ad59a0 5 bytes JMP 0000000100020832 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077af10bb 5 bytes JMP 000000010002016c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b39577 5 bytes JMP 0000000100020612 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b3f80f 5 bytes JMP 000000010002014a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 00000001000200e4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 00000001000202c0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007686499f 5 bytes JMP 0000000100020238 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873bbb 5 bytes JMP 000000010002038c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879abc 5 bytes JMP 00000001000207ee .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879b1d 5 bytes JMP 00000001000207aa .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 000000007688733f 5 bytes JMP 000000010002025a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888f2 5 bytes JMP 00000001000206de .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccc1 5 bytes JMP 0000000100020788 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688cce1 5 bytes JMP 00000001000207cc .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e31a9 5 bytes JMP 000000010002029e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076907603 5 bytes JMP 0000000100020568 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076907626 5 bytes JMP 000000010002058a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769079d1 5 bytes JMP 00000001000205ac .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907a4a 5 bytes JMP 00000001000205ce .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075688f85 5 bytes JMP 00000001000200a0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007568c538 5 bytes JMP 0000000100020546 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007568edb9 5 bytes JMP 00000001000204e0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007568f319 5 bytes JMP 00000001000201d2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007568fb9c 5 bytes JMP 0000000100020106 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007568fcca 5 bytes JMP 0000000100020766 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 000000007569146c 5 bytes JMP 0000000100020524 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075691493 5 bytes JMP 0000000100020502 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075691e3d 5 bytes JMP 000000010002007e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000075691f29 5 bytes JMP 0000000100020216 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075692bcd 5 bytes JMP 000000010002069a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000075692e41 5 bytes JMP 0000000100020678 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075692e7f 5 bytes JMP 00000001000206bc .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000075692fe2 5 bytes JMP 000000010002005c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007569396b 5 bytes JMP 000000010002049c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000075693cd8 5 bytes JMP 000000010002018e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000756945fe 5 bytes JMP 00000001000201f4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000075694770 5 bytes JMP 00000001000204be .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000075694799 5 bytes JMP 00000001000202e2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 000000007569a37a 5 bytes JMP 0000000100020876 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!FindClose 000000007569a589 5 bytes JMP 0000000100020898 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 000000007569a663 5 bytes JMP 0000000100020854 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007569c8a8 5 bytes JMP 000000010002027c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 000000007569e414 5 bytes JMP 00000001000208ba .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007547a472 5 bytes JMP 0000000100020a0e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000754827ce 5 bytes JMP 0000000100020afc .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007548e6cf 5 bytes JMP 0000000100020ada .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 000000007646633b 5 bytes JMP 0000000100020a30 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000076488685 5 bytes JMP 000000010002117e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000764886a4 5 bytes JMP 00000001000211a0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000764940e0 5 bytes JMP 00000001000211c2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076977004 5 bytes JMP 00000001000210d4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769778f2 5 bytes JMP 0000000100020e4e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076977be3 5 bytes JMP 0000000100020e2c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076978a39 5 bytes JMP 0000000100020ef8 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!FindWindowW 000000007697990d 5 bytes JMP 000000010002106e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007697b6fd 5 bytes JMP 0000000100020a52 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!GetWindowLongA 000000007697d166 5 bytes JMP 00000001000210b2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007697d23e 5 bytes JMP 0000000100020f1a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007697ee19 5 bytes JMP 0000000100020e0a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007697fff6 5 bytes JMP 000000010002102a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000769800e9 5 bytes JMP 000000010002104c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769805ca 5 bytes JMP 0000000100020e92 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076980e0b 5 bytes JMP 0000000100020f3c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769812b5 5 bytes JMP 000000010002115c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000769820fc 5 bytes JMP 0000000100021008 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076983bba 5 bytes JMP 000000010002113a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076985f84 5 bytes JMP 0000000100020e70 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076986295 5 bytes JMP 0000000100020eb4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076987613 5 bytes JMP 0000000100020de8 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076987678 5 bytes JMP 0000000100021118 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076987afe 5 bytes JMP 0000000100020fe6 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007698836c 5 bytes JMP 0000000100020dc6 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007699ce64 5 bytes JMP 0000000100020f80 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007699f54b 5 bytes JMP 0000000100020ed6 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007699f5a8 5 bytes JMP 0000000100021090 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000769a10c0 5 bytes JMP 0000000100020f5e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000769cfd9e 1 byte JMP 0000000100020fa2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 2 00000000769cfda0 3 bytes {CALL QWORD [RCX]} .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000769cfdc2 5 bytes JMP 0000000100020fc4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769d6e25 5 bytes JMP 00000001000210f6 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076fc8e91 5 bytes JMP 0000000100020cd8 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076fc9181 5 bytes JMP 0000000100020c94 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076fc918e 5 bytes JMP 0000000100020d3e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000076fcc4da 5 bytes JMP 0000000100020da4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076fcc9f4 5 bytes JMP 0000000100020b40 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000076fcdebc 5 bytes JMP 0000000100020cb6 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000076fcdede 5 bytes JMP 0000000100020d82 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000076fcdef6 5 bytes JMP 0000000100020d1c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000076fcdf26 5 bytes JMP 0000000100020d60 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076fd2b58 5 bytes JMP 0000000100020b1e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076fd3604 5 bytes JMP 0000000100020c2e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076fd4959 5 bytes JMP 0000000100020a74 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076fe7154 5 bytes JMP 0000000100020c72 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076fe716c 5 bytes JMP 0000000100020ba6 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076fe7184 5 bytes JMP 0000000100020bc8 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000076fe77cb 5 bytes JMP 0000000100020cfa .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 000000007700338c 5 bytes JMP 0000000100020bea .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 000000007700339c 5 bytes JMP 0000000100020c0c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000770033ac 5 bytes JMP 0000000100020b62 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000770033bc 5 bytes JMP 0000000100020b84 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000770033fc 5 bytes JMP 0000000100020c50 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076713918 5 bytes JMP 00000001000212d2 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076713cd3 5 bytes JMP 00000001000212b0 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!socket 0000000076713eb8 5 bytes JMP 00000001000212f4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076714406 5 bytes JMP 0000000100021206 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076714889 5 bytes JMP 000000010002124a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!recv 0000000076716b0e 5 bytes JMP 0000000100021338 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!connect 0000000076716bdd 5 bytes JMP 0000000100021228 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!send 0000000076716f01 5 bytes JMP 00000001000211e4 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076717089 5 bytes JMP 000000010002135a .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007671cc3f 5 bytes JMP 0000000100021316 .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007671d1ea 5 bytes JMP 000000010002126c .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076727673 5 bytes JMP 000000010002128e .text D:\Programy\IObit Malware Fighter\IMFTips.exe[5116] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 00000000758201a9 5 bytes JMP 000000010002137c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077aaf9c8 5 bytes JMP 00000001000309a8 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aafa80 5 bytes JMP 0000000100030700 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077aafbc8 5 bytes JMP 0000000100030656 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 0000000077aafc48 5 bytes JMP 00000001000308fe .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077aafcc0 5 bytes JMP 00000001000303f2 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077aafcf0 5 bytes JMP 0000000100030018 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077aafd20 5 bytes JMP 000000010003003a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077aafd50 5 bytes JMP 0000000100030634 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077aafe68 5 bytes JMP 0000000100030986 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077aafeb4 5 bytes JMP 00000001000303ae .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077aafee4 5 bytes JMP 0000000100030436 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077aaff60 5 bytes JMP 0000000100030810 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077aaffc4 5 bytes JMP 0000000100030414 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077ab0044 5 bytes JMP 00000001000309ca .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077ab008c 5 bytes JMP 000000010003036a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ab00a4 5 bytes JMP 0000000100030326 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ab0154 5 bytes JMP 0000000100030128 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ab0264 5 bytes JMP 00000001000301b0 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ab083c 5 bytes JMP 0000000100030964 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ab08b4 5 bytes JMP 0000000100030348 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ab0944 5 bytes JMP 0000000100030304 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ab0e94 5 bytes JMP 0000000100030722 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 0000000077ab1160 5 bytes JMP 00000001000308dc .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ab16a4 5 bytes JMP 00000001000305f0 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ab19c0 5 bytes JMP 00000001000303d0 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ab1c84 5 bytes JMP 0000000100030744 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077ab1df4 5 bytes JMP 000000010003047a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ab1e10 5 bytes JMP 0000000100030458 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ab1e2c 5 bytes JMP 00000001000309ec .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ab1f88 5 bytes JMP 0000000100030942 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077ac2a64 5 bytes JMP 00000001000300c2 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 0000000077ac8fe1 5 bytes JMP 0000000100030920 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!RtlSetEnvironmentVariable 0000000077ad59a0 5 bytes JMP 0000000100030832 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077af10bb 5 bytes JMP 000000010003016c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b39577 5 bytes JMP 0000000100030612 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b3f80f 5 bytes JMP 000000010003014a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000076860e00 5 bytes JMP 00000001000300e4 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076861072 5 bytes JMP 00000001000302c0 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007686499f 5 bytes JMP 0000000100030238 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076873bbb 5 bytes JMP 000000010003038c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076879abc 5 bytes JMP 00000001000307ee .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076879b1d 5 bytes JMP 00000001000307aa .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 000000007688733f 5 bytes JMP 000000010003025a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768888f2 5 bytes JMP 00000001000306de .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007688ccc1 5 bytes JMP 0000000100030788 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007688cce1 5 bytes JMP 00000001000307cc .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768e31a9 5 bytes JMP 000000010003029e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076907603 5 bytes JMP 0000000100030568 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076907626 5 bytes JMP 000000010003058a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000769079d1 5 bytes JMP 00000001000305ac .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000076907a4a 5 bytes JMP 00000001000305ce .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075688f85 5 bytes JMP 00000001000300a0 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007568c538 5 bytes JMP 0000000100030546 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007568edb9 5 bytes JMP 00000001000304e0 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007568f319 5 bytes JMP 00000001000301d2 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007568fb9c 5 bytes JMP 0000000100030106 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007568fcca 5 bytes JMP 0000000100030766 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 000000007569146c 5 bytes JMP 0000000100030524 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075691493 5 bytes JMP 0000000100030502 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075691e3d 5 bytes JMP 000000010003007e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000075691f29 5 bytes JMP 0000000100030216 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075692bcd 5 bytes JMP 000000010003069a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000075692e41 5 bytes JMP 0000000100030678 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075692e7f 5 bytes JMP 00000001000306bc .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000075692fe2 5 bytes JMP 000000010003005c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007569396b 5 bytes JMP 000000010003049c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000075693cd8 5 bytes JMP 000000010003018e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000756945fe 5 bytes JMP 00000001000301f4 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000075694770 5 bytes JMP 00000001000304be .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000075694799 5 bytes JMP 00000001000302e2 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 000000007569a37a 5 bytes JMP 0000000100030876 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!FindClose 000000007569a589 5 bytes JMP 0000000100030898 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 000000007569a663 5 bytes JMP 0000000100030854 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007569c8a8 5 bytes JMP 000000010003027c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 000000007569e414 5 bytes JMP 00000001000308ba .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007547a472 5 bytes JMP 0000000100030a0e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000754827ce 5 bytes JMP 0000000100030ab8 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007548e6cf 5 bytes JMP 0000000100030a96 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!GetWindowLongW 0000000076977004 5 bytes JMP 00000001000310f6 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769778f2 5 bytes JMP 0000000100030e70 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076977be3 5 bytes JMP 0000000100030e4e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076978a39 5 bytes JMP 0000000100030f1a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!FindWindowW 000000007697990d 5 bytes JMP 0000000100031090 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007697b6fd 5 bytes JMP 0000000100030a30 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!GetWindowLongA 000000007697d166 5 bytes JMP 00000001000310d4 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007697d23e 5 bytes JMP 0000000100030f3c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007697ee19 5 bytes JMP 0000000100030e2c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007697fff6 5 bytes JMP 000000010003104c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000769800e9 5 bytes JMP 000000010003106e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769805ca 5 bytes JMP 0000000100030eb4 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076980e0b 5 bytes JMP 0000000100030f5e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769812b5 5 bytes JMP 000000010003117e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000769820fc 5 bytes JMP 000000010003102a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076983bba 5 bytes JMP 000000010003115c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076985f84 5 bytes JMP 0000000100030e92 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076986295 5 bytes JMP 0000000100030ed6 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076987613 5 bytes JMP 0000000100030e0a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076987678 5 bytes JMP 000000010003113a .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000076987afe 5 bytes JMP 0000000100031008 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007698836c 5 bytes JMP 0000000100030de8 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007699ce64 5 bytes JMP 0000000100030fa2 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007699f54b 5 bytes JMP 0000000100030ef8 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007699f5a8 5 bytes JMP 00000001000310b2 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000769a10c0 5 bytes JMP 0000000100030f80 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000769cfd9e 5 bytes JMP 0000000100030fc4 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000769cfdc2 5 bytes JMP 0000000100030fe6 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769d6e25 5 bytes JMP 0000000100031118 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 000000007646633b 5 bytes JMP 0000000100030a52 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000076488685 5 bytes JMP 0000000100030ada .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000764886a4 5 bytes JMP 0000000100030afc .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000764940e0 5 bytes JMP 0000000100030b1e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076fc8e91 5 bytes JMP 0000000100030cfa .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076fc9181 5 bytes JMP 0000000100030cb6 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076fc918e 5 bytes JMP 0000000100030d60 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 0000000076fcc4da 5 bytes JMP 0000000100030dc6 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076fcc9f4 5 bytes JMP 0000000100030b62 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 0000000076fcdebc 5 bytes JMP 0000000100030cd8 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 0000000076fcdede 5 bytes JMP 0000000100030da4 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 0000000076fcdef6 5 bytes JMP 0000000100030d3e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 0000000076fcdf26 5 bytes JMP 0000000100030d82 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076fd2b58 5 bytes JMP 0000000100030b40 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076fd3604 5 bytes JMP 0000000100030c50 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076fd4959 5 bytes JMP 0000000100030a74 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076fe7154 5 bytes JMP 0000000100030c94 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076fe716c 5 bytes JMP 0000000100030bc8 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076fe7184 5 bytes JMP 0000000100030bea .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 0000000076fe77cb 5 bytes JMP 0000000100030d1c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 000000007700338c 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 000000007700339c 5 bytes JMP 0000000100030c2e .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000770033ac 5 bytes JMP 0000000100030b84 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000770033bc 5 bytes JMP 0000000100030ba6 .text C:\Windows\SysWOW64\cmd.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000770033fc 5 bytes JMP 0000000100030c72 .text C:\Program Files\Bitdefender\Bitdefender 2016\seccenter.exe[5804] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007782b891 11 bytes [B8, F0, 12, 83, 02, 00, 00, ...] ---- Processes - GMER 2.1 ---- Library \\?\C:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender 2016\vsserv.exe [512] (FILE NOT FOUND) 000007fefb630000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@CriticalSectionTimeout 2592000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@GlobalFlag 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitFreeBlockThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitTotalFreeThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentCommit 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentReserve 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProcessorControl 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ResourceTimeoutCount 648000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@BootExecute autocheck autochk *? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ExcludeFromKnownDlls Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ObjectDirectories \Windows?\RPC Control? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProtectionMode 1 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@NumberOfInitialSessions 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@AutoChkTimeout 5 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@SetupExecute Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) ---- EOF - GMER 2.1 ----