GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-12-13 17:50:29 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD5000AACS-00ZUB0 rev.01.01B01 Running: ygm5vj5j.exe; Driver: C:\Users\ARNEAD~1\AppData\Local\Temp\kxldrpow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\drivers\TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0x8079F2D0] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 621 81EBCDA4 4 Bytes [D0, F2, 79, 80] {SAL DL, 0x1; JNS 0xffffffffffffff84} ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\System32\svchost.exe[204] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[204] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\System32\svchost.exe[204] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[204] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\System32\svchost.exe[204] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\System32\svchost.exe[204] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\System32\svchost.exe[204] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\System32\svchost.exe[204] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[204] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\System32\svchost.exe[204] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[204] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\System32\svchost.exe[204] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[204] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\System32\svchost.exe[204] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\System32\svchost.exe[204] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\System32\svchost.exe[204] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\System32\svchost.exe[204] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\System32\svchost.exe[204] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\System32\svchost.exe[204] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\System32\svchost.exe[204] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\System32\svchost.exe[204] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\System32\svchost.exe[204] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\svchost.exe[256] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[256] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[256] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[256] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[256] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[256] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[256] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[256] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[256] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[256] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[256] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[256] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[256] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\svchost.exe[256] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[256] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[256] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[256] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\svchost.exe[256] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\svchost.exe[256] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[256] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[256] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[256] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\svchost.exe[280] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[280] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[280] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[280] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[280] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[280] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[280] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[280] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[280] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[280] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[280] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[280] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[280] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\svchost.exe[280] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[280] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[280] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[280] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\svchost.exe[280] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\svchost.exe[280] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[280] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[280] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[280] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Program Files\ThreatFire\TFService.exe[304] kernel32.dll!CreateRemoteThread + 175 7715CCCA 4 Bytes JMP 71AF0000 .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\System32\svchost.exe[484] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\System32\svchost.exe[484] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\System32\svchost.exe[484] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\System32\svchost.exe[484] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\System32\svchost.exe[484] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\System32\svchost.exe[484] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\System32\svchost.exe[484] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\System32\svchost.exe[484] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\System32\svchost.exe[484] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\System32\svchost.exe[484] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\System32\svchost.exe[484] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\System32\svchost.exe[484] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\wininit.exe[608] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[608] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\wininit.exe[608] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[608] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\wininit.exe[608] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\wininit.exe[608] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\wininit.exe[608] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[608] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[608] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\wininit.exe[608] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[608] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\wininit.exe[608] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\wininit.exe[608] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\wininit.exe[608] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\wininit.exe[608] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\wininit.exe[608] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\wininit.exe[608] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\wininit.exe[608] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\wininit.exe[608] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\wininit.exe[608] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\services.exe[652] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[652] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\services.exe[652] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[652] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\services.exe[652] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\services.exe[652] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\services.exe[652] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\services.exe[652] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\services.exe[652] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\services.exe[652] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\services.exe[652] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\services.exe[652] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\services.exe[652] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\services.exe[652] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\services.exe[652] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\services.exe[652] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\services.exe[652] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\services.exe[652] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\services.exe[652] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\services.exe[652] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\services.exe[652] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\services.exe[652] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\services.exe[652] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\services.exe[652] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\services.exe[652] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\services.exe[652] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\services.exe[652] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\services.exe[652] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\services.exe[652] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\services.exe[652] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\services.exe[652] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\services.exe[652] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[652] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\services.exe[652] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\services.exe[652] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\services.exe[652] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\services.exe[652] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\services.exe[652] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[652] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\services.exe[652] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[652] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\services.exe[652] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\services.exe[652] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\services.exe[652] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\services.exe[652] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\services.exe[652] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\services.exe[652] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\services.exe[652] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\services.exe[652] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\services.exe[652] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\services.exe[652] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\services.exe[652] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\services.exe[652] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\services.exe[652] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\services.exe[652] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\services.exe[652] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\services.exe[652] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\services.exe[652] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\services.exe[652] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\lsass.exe[664] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[664] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\lsass.exe[664] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[664] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\lsass.exe[664] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\lsass.exe[664] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\lsass.exe[664] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[664] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[664] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\lsass.exe[664] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[664] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\lsass.exe[664] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\lsass.exe[664] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\lsass.exe[664] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\lsass.exe[664] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\lsass.exe[664] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\lsass.exe[664] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\lsass.exe[664] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\lsass.exe[664] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\lsass.exe[664] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\System32\mobsync.exe[668] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[668] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\System32\mobsync.exe[668] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[668] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\System32\mobsync.exe[668] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\System32\mobsync.exe[668] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[668] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\System32\mobsync.exe[668] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[668] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\System32\mobsync.exe[668] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[668] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\System32\mobsync.exe[668] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\System32\mobsync.exe[668] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\System32\mobsync.exe[668] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\System32\mobsync.exe[668] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\System32\mobsync.exe[668] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\System32\mobsync.exe[668] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\System32\mobsync.exe[668] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\System32\mobsync.exe[668] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\lsm.exe[676] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[676] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\lsm.exe[676] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[676] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\lsm.exe[676] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\lsm.exe[676] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\lsm.exe[676] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\lsm.exe[676] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[676] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\lsm.exe[676] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[676] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\lsm.exe[676] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[676] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\lsm.exe[676] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\lsm.exe[676] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\lsm.exe[676] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\lsm.exe[676] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\lsm.exe[676] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\lsm.exe[676] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\lsm.exe[676] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\lsm.exe[676] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\lsm.exe[676] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 7091000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[776] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 708E000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7168000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 70F3000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 714A000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 7150000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 7108000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 710B000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!MoveFileExW 77131160 4 Bytes JMP EC001E25 .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!MoveFileExW + 5 77131165 1 Byte [70] .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 7120000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 7141000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 7126000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 71A4000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7156000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 70EA000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 71AE000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 7138000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 711D000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 716B000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7177000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 716E000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70F9000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 711A000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 7174000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 713B000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 7123000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 70F0000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 71A7000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 7153000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 7171000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 713E000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70F6000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 714D000A .text C:\Windows\system32\winlogon.exe[840] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 7135000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 7105000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 7165000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 7183000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 7102000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 71A1000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 719B000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7189000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 7162000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 7195000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 7129000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7180000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 712C000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7198000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 712F000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7186000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 719E000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 717D000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 718F000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 7192000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 717A000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 718C000A .text C:\Windows\system32\winlogon.exe[840] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 7132000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\winlogon.exe[840] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [58, 71] .text C:\Windows\system32\winlogon.exe[840] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 7111000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 715F000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 710E000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 715C000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 7114000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70FC000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 7117000A .text C:\Windows\system32\winlogon.exe[840] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70FF000A .text C:\Windows\system32\winlogon.exe[840] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 7144000A .text C:\Windows\system32\winlogon.exe[840] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[864] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[864] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[864] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[864] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[864] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[864] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[864] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[864] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[864] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[864] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[864] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\svchost.exe[864] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[864] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[864] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[864] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\svchost.exe[864] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\svchost.exe[864] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[864] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[864] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[864] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\nvvsvc.exe[908] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[908] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\nvvsvc.exe[908] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[908] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\nvvsvc.exe[908] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\nvvsvc.exe[908] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\nvvsvc.exe[908] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\nvvsvc.exe[908] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\nvvsvc.exe[908] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\nvvsvc.exe[908] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\nvvsvc.exe[908] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\nvvsvc.exe[908] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\nvvsvc.exe[908] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\nvvsvc.exe[908] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[960] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[960] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[960] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[960] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[960] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[960] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[960] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[960] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\svchost.exe[960] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[960] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[960] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[960] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\svchost.exe[960] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\svchost.exe[960] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[960] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[960] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[960] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7110000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709B000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F2000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F8000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B0000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B3000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7095000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C8000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70E9000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CE000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FE000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7092000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E0000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C5000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A1000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C2000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E3000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CB000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7098000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FB000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E6000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709E000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F5000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DD000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AD000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710D000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AA000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710A000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D1000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D4000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D7000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DA000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\System32\svchost.exe[1092] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] USER32.dll!ShowWindow + 5 771FCA15 1 Byte [71] .text C:\Windows\System32\svchost.exe[1092] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70B9000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7107000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B6000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7104000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BC000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A4000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70BF000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A7000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EC000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70EF000A .text C:\Windows\System32\svchost.exe[1116] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1116] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\System32\svchost.exe[1116] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1116] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 710F000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 7099000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F1000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F7000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70AE000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B1000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7093000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C6000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70E7000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CC000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FD000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7090000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70DE000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C3000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7112000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 711E000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7115000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 709F000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C0000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711B000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E1000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70C9000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7096000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FA000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 7118000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E4000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709C000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F4000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\System32\svchost.exe[1116] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DB000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AB000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710C000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712A000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70A8000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7130000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 7109000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70CF000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7127000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D2000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D5000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712D000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7124000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7136000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7121000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7133000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70D8000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1116] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\System32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1116] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\System32\svchost.exe[1116] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1116] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [FF, 70] .text C:\Windows\System32\svchost.exe[1116] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70B7000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7106000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B4000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7103000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BA000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A2000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70BD000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A5000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\System32\svchost.exe[1116] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\System32\svchost.exe[1116] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\System32\svchost.exe[1116] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EA000A .text C:\Windows\System32\svchost.exe[1116] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\System32\svchost.exe[1116] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\System32\svchost.exe[1116] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\System32\svchost.exe[1116] SHELL32.dll!Shell_NotifyIcon 75FEBAED 4 Bytes JMP EC001E25 .text C:\Windows\System32\svchost.exe[1116] SHELL32.dll!Shell_NotifyIcon + 5 75FEBAF2 1 Byte [70] .text C:\Windows\system32\svchost.exe[1136] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1136] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[1136] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1136] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 70BE000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 702A000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70A6000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 703F000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 7042000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7024000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 7057000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 7078000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 705D000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70AC000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7021000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 706F000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 7054000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 70C1000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 70D6000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 70C8000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 7030000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 7051000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 70CE000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 7072000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 705A000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7027000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70A9000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 70CB000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 7075000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 702D000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70A3000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[1136] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 706C000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 703C000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 70BB000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 70F0000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 7039000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 70FD000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 70B8000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 7060000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 70DF000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 7063000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 7066000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 70F3000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 70DC000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7130000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 70D9000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 712D000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 7069000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[1136] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1136] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[1136] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1136] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[1136] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1136] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [AE, 70] .text C:\Windows\system32\svchost.exe[1136] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 7048000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 70B5000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 7045000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 70B2000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 704B000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 7033000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 704E000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 7036000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[1136] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[1136] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[1136] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 708E000A .text C:\Windows\system32\svchost.exe[1136] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[1136] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[1136] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[1136] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 7091000A .text C:\Windows\system32\svchost.exe[1136] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[1136] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[1268] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1268] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[1268] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1268] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1268] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1268] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[1268] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1268] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\svchost.exe[1268] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[1268] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[1268] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[1268] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\svchost.exe[1268] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\svchost.exe[1268] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[1268] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[1268] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[1268] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 710D000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 708F000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70EC000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F5000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70A4000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70A7000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7089000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70BC000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70E3000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70C2000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FB000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7086000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70D4000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70B9000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7110000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 711C000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7113000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 7095000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70B6000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 7119000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70D7000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70BF000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 708C000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70F8000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 7116000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70DA000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 7092000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70EF000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70D1000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70A1000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710A000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 7128000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 709E000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 7107000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70C5000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7125000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70C8000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70CB000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712B000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7122000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 711F000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70CE000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[1344] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [FD, 70] .text C:\Windows\system32\svchost.exe[1344] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70AD000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7104000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70AA000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7101000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70B0000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 7098000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70B3000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 709B000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[1344] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 70E0000A .text C:\Windows\system32\svchost.exe[1344] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 70DD000A .text C:\Windows\system32\svchost.exe[1344] shell32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[1344] shell32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70E6000A .text C:\Windows\system32\svchost.exe[1344] shell32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[1344] shell32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[1344] shell32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[1344] shell32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70E9000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1404] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\svchost.exe[1448] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1448] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[1448] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1448] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 708F000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F1000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F8000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70A4000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70A7000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7089000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70BC000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70E8000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70C2000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FE000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7086000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70DF000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70B9000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 7095000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70B6000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E2000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70BF000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 708C000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FB000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E5000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 7092000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F4000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70D2000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70A1000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 709E000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70C5000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70C8000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70CB000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70CE000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1448] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1448] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[1448] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1448] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\svchost.exe[1448] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70AD000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70AA000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70B0000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 7098000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70B3000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 709B000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[1448] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[1448] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[1448] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EB000A .text C:\Windows\system32\svchost.exe[1448] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[1448] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[1448] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[1448] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70EE000A .text C:\Windows\system32\WUDFHost.exe[1604] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1604] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\WUDFHost.exe[1604] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1604] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\WUDFHost.exe[1604] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\WUDFHost.exe[1604] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\WUDFHost.exe[1604] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\WUDFHost.exe[1604] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\WUDFHost.exe[1604] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\WUDFHost.exe[1604] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\WUDFHost.exe[1604] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\WUDFHost.exe[1604] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\WUDFHost.exe[1604] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\WUDFHost.exe[1604] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\System32\spoolsv.exe[1680] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1680] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\System32\spoolsv.exe[1680] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1680] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\System32\spoolsv.exe[1680] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\System32\spoolsv.exe[1680] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\System32\spoolsv.exe[1680] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\System32\spoolsv.exe[1680] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\System32\spoolsv.exe[1680] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\System32\spoolsv.exe[1680] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\System32\spoolsv.exe[1680] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\System32\spoolsv.exe[1680] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\System32\spoolsv.exe[1680] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\System32\spoolsv.exe[1680] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\svchost.exe[1724] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1724] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\svchost.exe[1724] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1724] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\svchost.exe[1724] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[1724] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1724] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\svchost.exe[1724] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1724] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\svchost.exe[1724] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1724] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\svchost.exe[1724] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[1724] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[1724] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[1724] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\svchost.exe[1724] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\svchost.exe[1724] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\svchost.exe[1724] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[1724] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[1724] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\IoctlSvc.exe[1792] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\IoctlSvc.exe[1792] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\IoctlSvc.exe[1792] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\IoctlSvc.exe[1792] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\IoctlSvc.exe[1792] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\IoctlSvc.exe[1792] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\IoctlSvc.exe[1792] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\IoctlSvc.exe[1792] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\IoctlSvc.exe[1792] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\IoctlSvc.exe[1792] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\IoctlSvc.exe[1792] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\IoctlSvc.exe[1792] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\IoctlSvc.exe[1792] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\IoctlSvc.exe[1792] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\WUDFHost.exe[1912] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1912] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\WUDFHost.exe[1912] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1912] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\WUDFHost.exe[1912] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\WUDFHost.exe[1912] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\WUDFHost.exe[1912] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\WUDFHost.exe[1912] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\WUDFHost.exe[1912] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\WUDFHost.exe[1912] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\WUDFHost.exe[1912] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\WUDFHost.exe[1912] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\WUDFHost.exe[1912] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\WUDFHost.exe[1912] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\taskeng.exe[2140] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2140] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\taskeng.exe[2140] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2140] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7096000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7093000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7099000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\taskeng.exe[2140] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\taskeng.exe[2140] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\taskeng.exe[2140] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\taskeng.exe[2140] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\taskeng.exe[2140] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\taskeng.exe[2140] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\taskeng.exe[2140] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\taskeng.exe[2140] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\taskeng.exe[2140] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\taskeng.exe[2140] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\taskeng.exe[2140] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 7090000A .text C:\Windows\system32\taskeng.exe[2140] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 708D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [3E, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [56, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 716C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 716F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 70EE000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 7079000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70D0000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70D6000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 708E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 7091000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7073000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70A6000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70C7000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 7188000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70AC000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 712A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7142000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7154000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70DC000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7070000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7130000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70BE000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70A3000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 70F1000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 70FD000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 70F4000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [8A, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 707F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70A0000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 70FA000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70C1000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70A9000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7076000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 712D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70D9000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 70F7000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70C4000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7151000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 707C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70D3000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 715D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70BB000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 708B000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 70EB000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 7109000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 7088000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 7127000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7121000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 710F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 70E8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 711B000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70AF000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7106000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70B2000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 711E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70B5000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 710C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7124000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7103000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7115000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 7118000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7100000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7112000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70B8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 7139000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 713C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [32, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 714B000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7136000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [47, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [DE, 70] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 7097000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 70E5000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 7094000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 70E2000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 714E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 709A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 7082000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 709D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 7085000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7145000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] USER32.dll!EndTask 7723AD32 6 Bytes JMP 715A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7166000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70CA000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7160000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7163000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 7169000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2304] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70CD000A .text C:\Windows\system32\nvvsvc.exe[2320] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[2320] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [3E, 71] .text C:\Windows\system32\nvvsvc.exe[2320] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[2320] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [56, 71] .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 716C000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 716F000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 70EE000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 7079000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70D0000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70D6000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 708E000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 7091000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7073000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70A6000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70C7000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 7188000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 7178000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70AC000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 717B000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 712A000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7142000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7154000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70DC000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7070000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7130000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70BE000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70A3000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 70F1000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 70FD000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 70F4000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [8A, 71] .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 707F000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70A0000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 70FA000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70C1000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70A9000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7076000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 712D000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70D9000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 70F7000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70C4000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7151000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 707C000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70D3000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 715D000A .text C:\Windows\system32\nvvsvc.exe[2320] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70BB000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 708B000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 70EB000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 7109000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 7088000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 7127000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7121000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 710F000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 70E8000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 711B000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70AF000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7106000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70B2000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 711E000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70B5000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 710C000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7124000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7103000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7115000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 7118000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7100000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7112000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70B8000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 7139000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[2320] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 713C000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [32, 71] .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7175000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 714B000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7172000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7136000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [47, 71] .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [DE, 70] .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 7097000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 70E5000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 7094000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 70E2000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 714E000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 709A000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 7082000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 709D000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 7085000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7145000A .text C:\Windows\system32\nvvsvc.exe[2320] USER32.dll!EndTask 7723AD32 6 Bytes JMP 715A000A .text C:\Windows\system32\nvvsvc.exe[2320] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7166000A .text C:\Windows\system32\nvvsvc.exe[2320] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70CA000A .text C:\Windows\system32\nvvsvc.exe[2320] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7160000A .text C:\Windows\system32\nvvsvc.exe[2320] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7163000A .text C:\Windows\system32\nvvsvc.exe[2320] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 7169000A .text C:\Windows\system32\nvvsvc.exe[2320] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70CD000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [4D, 71] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [65, 71] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 70FD000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 7088000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70DF000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70E5000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 709D000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70A0000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7082000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70B5000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70D6000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70BB000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 7139000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7151000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7163000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70EB000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 707F000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 713F000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70CD000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70B2000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7100000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 710C000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7103000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 708E000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70AF000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 7109000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70D0000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70B8000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7085000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 713C000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70E8000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 7106000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70D3000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7160000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 708B000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70E2000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 716C000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70CA000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 709A000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 70FA000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 7118000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 7097000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 7136000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7130000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 711E000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 70F7000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 712A000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70BE000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7115000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70C1000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 712D000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70C4000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 711B000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7133000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7112000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7124000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 7127000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 710F000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7121000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70C7000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 7148000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 714B000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [41, 71] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 715A000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7145000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [56, 71] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!ShowWindow + 4 771FCA14 2 Bytes [ED, 70] .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70A6000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 70F4000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!CreateWindowExW 77201305 6 Bytes JMP 70A3000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!GetWindowTextW 77202069 6 Bytes JMP 70F1000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!GetKeyState 77208CB1 6 Bytes JMP 715D000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!DrawTextW 772097D3 6 Bytes JMP 70A9000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!SetWindowTextW 77209815 6 Bytes JMP 7091000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!DrawTextA 7721558D 6 Bytes JMP 70AC000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 7094000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!DdeConnect 77239A1F 6 Bytes JMP 7154000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] user32.dll!EndTask 7723AD32 6 Bytes JMP 7169000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70D9000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 716F000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\WireHelpSvc.exe[2468] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70DC000A .text C:\Windows\system32\SearchIndexer.exe[2492] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2492] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [23, 71] .text C:\Windows\system32\SearchIndexer.exe[2492] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2492] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 70D2000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 7046000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 709E000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70A4000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 705B000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 705E000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7040000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 7073000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 7094000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 7079000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 710F000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7127000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7139000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70AA000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 703D000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7115000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 708B000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 7070000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 70D5000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 70E1000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 70D8000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 704C000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 706D000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 70DE000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 708E000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 7076000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7043000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7112000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70A7000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 70DB000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 7091000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7136000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 7049000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70A1000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\SearchIndexer.exe[2492] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 7088000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 7058000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 70CF000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 70ED000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 7055000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 710C000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7106000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 70F4000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 70CC000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 7100000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 707C000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 70EA000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 707F000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7103000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 7082000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 70F0000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7109000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 70E7000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 70FA000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 70FD000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 70E4000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 70F7000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 7085000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 711E000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\SearchIndexer.exe[2492] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7121000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [17, 71] .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 7130000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 711B000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [AC, 70] .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 7064000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 70C9000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 7061000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 70C6000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7133000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 7067000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 704F000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 706A000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 7052000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 712A000A .text C:\Windows\system32\SearchIndexer.exe[2492] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\SearchIndexer.exe[2492] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\SearchIndexer.exe[2492] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 7098000A .text C:\Windows\system32\SearchIndexer.exe[2492] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\SearchIndexer.exe[2492] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\SearchIndexer.exe[2492] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\SearchIndexer.exe[2492] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 709B000A .text C:\Windows\system32\WUDFHost.exe[2680] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2680] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [61, 71] .text C:\Windows\system32\WUDFHost.exe[2680] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2680] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A4000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 718F000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7192000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A1000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7111000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709C000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F3000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70F9000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B1000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B4000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7092000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C9000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EA000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AB000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719B000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CF000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719E000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714D000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7165000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7177000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 70FF000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 708B000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7153000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E1000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C6000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7114000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7120000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7117000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AD, 71] .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A2000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C3000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711D000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E4000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CC000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7095000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7150000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FC000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711A000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E7000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7174000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709F000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F6000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7180000A .text C:\Windows\system32\WUDFHost.exe[2680] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DE000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AE000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710E000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712C000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AB000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714A000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7144000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7132000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710B000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713E000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D2000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 7129000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D5000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7141000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D8000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 712F000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7147000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7126000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7138000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713B000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7123000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7135000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DB000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715C000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A7000A .text C:\Windows\system32\WUDFHost.exe[2680] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 715F000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [55, 71] .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7198000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716E000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7195000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 7159000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [01, 71] .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BA000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7108000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B7000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7105000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7171000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BD000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A5000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C0000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A8000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7168000A .text C:\Windows\system32\WUDFHost.exe[2680] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717D000A .text C:\Windows\system32\WUDFHost.exe[2680] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 7189000A .text C:\Windows\system32\WUDFHost.exe[2680] SHELL32.dll!Shell_NotifyIconW 75E28642 4 Bytes JMP EC001E25 .text C:\Windows\system32\WUDFHost.exe[2680] SHELL32.dll!Shell_NotifyIconW + 5 75E28647 1 Byte [70] .text C:\Windows\system32\WUDFHost.exe[2680] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7183000A .text C:\Windows\system32\WUDFHost.exe[2680] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7186000A .text C:\Windows\system32\WUDFHost.exe[2680] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718C000A .text C:\Windows\system32\WUDFHost.exe[2680] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F0000A .text C:\Windows\system32\taskeng.exe[2800] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2800] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\system32\taskeng.exe[2800] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2800] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[2800] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[2800] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\system32\taskeng.exe[2800] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[2800] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[2800] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\system32\taskeng.exe[2800] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[2800] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[2800] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[2800] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text D:\NM Monitor\nmmonitor.exe[2916] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text D:\NM Monitor\nmmonitor.exe[2916] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text D:\NM Monitor\nmmonitor.exe[2916] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text D:\NM Monitor\nmmonitor.exe[2916] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text D:\NM Monitor\nmmonitor.exe[2916] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text D:\NM Monitor\nmmonitor.exe[2916] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text D:\NM Monitor\nmmonitor.exe[2916] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text D:\NM Monitor\nmmonitor.exe[2916] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text D:\NM Monitor\nmmonitor.exe[2916] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text D:\NM Monitor\nmmonitor.exe[2916] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text D:\NM Monitor\nmmonitor.exe[2916] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text D:\NM Monitor\nmmonitor.exe[2916] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text D:\NM Monitor\nmmonitor.exe[2916] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2984] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[3104] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\svchost.exe[3236] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3236] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\system32\svchost.exe[3236] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3236] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3236] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3236] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3236] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\system32\svchost.exe[3236] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3236] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\system32\svchost.exe[3236] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3236] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\system32\svchost.exe[3236] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\system32\svchost.exe[3236] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3236] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3236] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\system32\svchost.exe[3236] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3236] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3236] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3236] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\Dwm.exe[3756] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3756] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\system32\Dwm.exe[3756] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3756] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[3756] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[3756] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\system32\Dwm.exe[3756] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[3756] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[3756] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\system32\Dwm.exe[3756] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[3756] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[3756] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[3756] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\taskeng.exe[3784] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3784] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\system32\taskeng.exe[3784] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3784] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[3784] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[3784] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\system32\taskeng.exe[3784] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[3784] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[3784] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\system32\taskeng.exe[3784] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[3784] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[3784] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[3784] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\taskeng.exe[3784] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 7091000A .text C:\Windows\system32\taskeng.exe[3784] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 708E000A .text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[3812] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[3812] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[3812] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3812] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\Explorer.EXE[3812] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3812] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\Explorer.EXE[3812] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\Explorer.EXE[3812] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[3812] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[3812] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\Explorer.EXE[3812] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 7091000A .text C:\Windows\Explorer.EXE[3812] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 708E000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe[4004] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe[4020] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 7091000A .text C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe[4036] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 708E000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 7097000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70AC000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70AF000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7091000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C4000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CA000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 708E000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70DC000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C1000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 709D000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70BE000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70DF000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70C7000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7094000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E2000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709A000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70D9000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70A9000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70A6000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70CD000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D0000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D3000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70D6000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70B5000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B2000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70B8000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A0000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70BB000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A3000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 70E8000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 70E5000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\Microsoft Security Client\msseces.exe[4048] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 7097000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70AC000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70AF000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7091000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70C4000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70CA000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 708E000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70DC000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C1000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 709D000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70BE000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70DF000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70C7000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 7094000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E2000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 709A000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70D9000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70B5000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B2000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70B8000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A0000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70BB000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A3000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70A9000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70A6000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70CD000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D0000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D3000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70D6000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 70E8000A .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[4056] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 70E5000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\WUDFHost.exe[4860] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[4860] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\system32\WUDFHost.exe[4860] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[4860] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\system32\WUDFHost.exe[4860] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\system32\WUDFHost.exe[4860] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\system32\WUDFHost.exe[4860] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\system32\WUDFHost.exe[4860] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\system32\WUDFHost.exe[4860] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\system32\WUDFHost.exe[4860] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\system32\WUDFHost.exe[4860] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\system32\WUDFHost.exe[4860] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\system32\WUDFHost.exe[4860] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\notepad.exe[5108] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[5108] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Windows\system32\notepad.exe[5108] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[5108] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Windows\system32\notepad.exe[5108] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Windows\system32\notepad.exe[5108] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[5108] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Windows\system32\notepad.exe[5108] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[5108] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Windows\system32\notepad.exe[5108] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[5108] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Windows\system32\notepad.exe[5108] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Windows\system32\notepad.exe[5108] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Windows\system32\notepad.exe[5108] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Windows\system32\notepad.exe[5108] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Windows\system32\notepad.exe[5108] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Windows\system32\notepad.exe[5108] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Windows\system32\notepad.exe[5108] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Windows\system32\notepad.exe[5108] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A .text C:\Windows\system32\notepad.exe[5108] WININET.dll!InternetOpenUrlA 75B8BFCE 6 Bytes JMP 7091000A .text C:\Windows\system32\notepad.exe[5108] WININET.dll!InternetOpenUrlW 75BED70A 6 Bytes JMP 708E000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ntdll.dll!NtLoadDriver 772F48B4 3 Bytes [FF, 25, 1E] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ntdll.dll!NtLoadDriver + 4 772F48B8 2 Bytes [62, 71] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ntdll.dll!NtSuspendProcess 772F5304 3 Bytes [FF, 25, 1E] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ntdll.dll!NtSuspendProcess + 4 772F5308 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!TerminateProcess 771118EF 6 Bytes JMP 71A5000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateProcessW 77111BF3 6 Bytes JMP 7190000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateProcessA 77111C28 6 Bytes JMP 7193000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!WriteProcessMemory 77111CB8 6 Bytes JMP 71A2000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!VirtualProtect 77111DC3 6 Bytes JMP 7112000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!MoveFileW 7711A2F2 6 Bytes JMP 709D000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CopyFileExW 77120221 6 Bytes JMP 70F4000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CopyFileW 771202A9 6 Bytes JMP 70FA000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!DeleteFileW 7712F54E 6 Bytes JMP 70B2000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!DeleteFileA 7712F66A 6 Bytes JMP 70B5000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!MoveFileExW 77131160 6 Bytes JMP 7097000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!OpenMutexA 7713348F 6 Bytes JMP 70CA000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!DeviceIoControl 771350FF 6 Bytes JMP 70EB000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!LoadLibraryExW + 173 771393EF 4 Bytes JMP 71AC000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!LoadLibraryW 77139400 6 Bytes JMP 719C000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateMutexA 771394D1 6 Bytes JMP 70D0000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!LoadLibraryA 7713957C 6 Bytes JMP 719F000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!GetVolumeInformationW 7713D876 6 Bytes JMP 714E000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!VirtualProtectEx 7713DC52 6 Bytes JMP 7166000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!TerminateThread 77154413 6 Bytes JMP 7178000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!LoadResource 77156CFB 6 Bytes JMP 7100000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!OpenProcess 77157487 6 Bytes JMP 7094000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!GetProcAddress 7715925B 6 Bytes JMP 7154000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!WriteFile 7715ABE1 6 Bytes JMP 70E2000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!OpenMutexW 7715ACA5 6 Bytes JMP 70C7000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!VirtualAlloc 7715AF75 6 Bytes JMP 7115000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateFileW 7715B0EB 6 Bytes JMP 7121000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateThread 7715CB2E 6 Bytes JMP 7118000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateRemoteThread 7715CB55 3 Bytes [FF, 25, 1E] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateRemoteThread + 4 7715CB59 2 Bytes [AE, 71] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!WideCharToMultiByte 7715CE18 6 Bytes JMP 70A3000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!MultiByteToWideChar 7715CEFB 6 Bytes JMP 70C4000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateFileA 7715D07F 6 Bytes JMP 711E000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateDirectoryW 7715D386 6 Bytes JMP 70E5000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateMutexW 7715D775 6 Bytes JMP 70CD000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!MoveFileExA 7716112A 6 Bytes JMP 709A000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!GetVolumeInformationA 771614B7 6 Bytes JMP 7151000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CopyFileA 77162653 6 Bytes JMP 70FD000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateToolhelp32Snapshot 771668C7 6 Bytes JMP 711B000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CreateDirectoryA 77167314 6 Bytes JMP 70E8000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!DebugActiveProcess 77199BC1 6 Bytes JMP 7175000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!MoveFileA 7719F7A1 6 Bytes JMP 70A0000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!CopyFileExA 771A1B59 6 Bytes JMP 70F7000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!WinExec 771A60CF 6 Bytes JMP 7181000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] kernel32.dll!SetThreadContext 771A7E27 6 Bytes JMP 70DF000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegDeleteKeyA 75981C8C 6 Bytes JMP 70AF000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!OpenSCManagerA 75982D93 6 Bytes JMP 710F000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegQueryValueA 759830C8 6 Bytes JMP 712D000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegDeleteKeyW 759838CD 6 Bytes JMP 70AC000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegCreateKeyExA 759839AB 6 Bytes JMP 714B000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegCreateKeyA 75983BA9 6 Bytes JMP 7145000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegSetValueExA 75983BEC 6 Bytes JMP 7133000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!OpenSCManagerW 75987137 6 Bytes JMP 710C000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegOpenKeyA 759889C7 6 Bytes JMP 713F000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!AdjustTokenPrivileges 759899CD 6 Bytes JMP 70D3000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegQueryValueW 759932D4 6 Bytes JMP 712A000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!LookupPrivilegeValueW 759936FF 6 Bytes JMP 70D6000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegCreateKeyW 7599391E 6 Bytes JMP 7142000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!LookupPrivilegeValueA 75993A0F 6 Bytes JMP 70D9000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegSetValueExW 75993D5A 6 Bytes JMP 7130000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegCreateKeyExW 759941F1 6 Bytes JMP 7148000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegQueryValueExA 75997A9D 6 Bytes JMP 7127000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegOpenKeyExA 75997C42 6 Bytes JMP 7139000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegOpenKeyW 7599E2B5 6 Bytes JMP 713C000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegQueryValueExW 759A765E 6 Bytes JMP 7124000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!RegOpenKeyExW 759A7BA1 6 Bytes JMP 7136000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!OpenProcessToken 759A7DDC 6 Bytes JMP 70DC000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!CreateServiceW 759A9EB4 6 Bytes JMP 715D000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!LsaRemoveAccountRights 759CB569 6 Bytes JMP 71A8000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] ADVAPI32.dll!CreateServiceA 759E72A1 6 Bytes JMP 7160000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!RegisterRawInputDevices 771F6161 3 Bytes [FF, 25, 1E] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!RegisterRawInputDevices + 4 771F6165 2 Bytes [56, 71] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!SetWindowsHookExA 771F6322 6 Bytes JMP 7199000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!GetAsyncKeyState 771F863C 6 Bytes JMP 716F000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!SetWindowsHookExW 771F87AD 6 Bytes JMP 7196000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!SetWinEventHook 771F9F3A 6 Bytes JMP 715A000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!GetKeyboardState 771FBD7D 3 Bytes [FF, 25, 1E] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!GetKeyboardState + 4 771FBD81 2 Bytes [6B, 71] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!ShowWindow 771FCA10 3 Bytes [FF, 25, 1E] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!ShowWindow + 4 771FCA14 2 Bytes [02, 71] .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!CreateWindowExA 771FDC2A 6 Bytes JMP 70BB000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!GetWindowTextA 771FF63C 6 Bytes JMP 7109000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!CreateWindowExW 77201305 6 Bytes JMP 70B8000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!GetWindowTextW 77202069 6 Bytes JMP 7106000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!GetKeyState 77208CB1 6 Bytes JMP 7172000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!DrawTextW 772097D3 6 Bytes JMP 70BE000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!SetWindowTextW 77209815 6 Bytes JMP 70A6000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!DrawTextA 7721558D 6 Bytes JMP 70C1000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!SetWindowTextA 7721A4E6 6 Bytes JMP 70A9000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!DdeConnect 77239A1F 6 Bytes JMP 7169000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] USER32.dll!EndTask 7723AD32 6 Bytes JMP 717E000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] SHELL32.dll!ShellExecuteW 75DE9725 6 Bytes JMP 718A000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] SHELL32.dll!Shell_NotifyIconW 75E28642 6 Bytes JMP 70EE000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] SHELL32.dll!ShellExecuteExW 75E3C155 6 Bytes JMP 7184000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] SHELL32.dll!ShellExecuteEx 75FEA292 6 Bytes JMP 7187000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] SHELL32.dll!ShellExecuteA 75FEA32D 6 Bytes JMP 718D000A .text C:\Users\Arne\Desktop\ygm5vj5j.exe[5216] SHELL32.dll!Shell_NotifyIcon 75FEBAED 6 Bytes JMP 70F1000A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools) AttachedDevice \Driver\tdx \Device\Tcp TfNetMon.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----