GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-17 19:05:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 SAMSUNG_HD642JJ rev.1AA01113 596,17GB Running: bd906o1w.exe; Driver: C:\Users\Karol\AppData\Local\Temp\uxldapod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 666 fffff80002dc108a 6 bytes [00, 00, 00, 00, 00, 00] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 674 fffff80002dc1092 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, F9, EF, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes [48, B8, B9, 6C, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes [48, B8, F9, 6A, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\msi.dll!MsiDecomposeDescriptorW + 157 000007fef28f3e45 11 bytes [B8, 39, F5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\msi.dll!MsiQueryProductStateA + 1 000007fef29725d9 11 bytes [B8, 79, 4B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\msi.dll!MsiInstallProductA + 1 000007fef2972a55 11 bytes [B8, F9, 47, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\msi.dll!MsiQueryProductStateW + 1 000007fef2981291 11 bytes [B8, 39, 4D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\msi.dll!MsiInstallProductW + 1 000007fef29815fd 11 bytes [B8, B9, 49, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\msi.dll!MsiOpenDatabaseW + 1 000007fef2999c71 11 bytes [B8, 39, 46, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\msi.dll!MsiOpenDatabaseA + 1 000007fef2999e9d 11 bytes [B8, 79, 44, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atiesrxx.exe[1196] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1240] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc7156e0 12 bytes [48, B8, 39, E0, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc72010c 12 bytes [48, B8, 79, DE, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1240] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc73daa0 12 bytes [48, B8, B9, DC, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, F1, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes [48, B8, B9, 6C, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes [48, B8, F9, 6A, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1276] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc7156e0 12 bytes [48, B8, 39, E0, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc72010c 12 bytes [48, B8, 79, DE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc73daa0 12 bytes [48, B8, B9, DC, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, F1, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes [48, B8, B9, 6C, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes [48, B8, F9, 6A, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefd9ddc81 11 bytes [B8, 79, 8A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc7156e0 12 bytes [48, B8, 39, E0, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc72010c 12 bytes [48, B8, 79, DE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc73daa0 12 bytes [48, B8, B9, DC, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\msi.dll!MsiDecomposeDescriptorW + 157 000007fef28f3e45 11 bytes [B8, 79, FA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\msi.dll!MsiQueryProductStateA + 1 000007fef29725d9 11 bytes [B8, 79, 4B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\msi.dll!MsiInstallProductA + 1 000007fef2972a55 11 bytes [B8, F9, 47, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\msi.dll!MsiQueryProductStateW + 1 000007fef2981291 11 bytes [B8, 39, 4D, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\msi.dll!MsiInstallProductW + 1 000007fef29815fd 11 bytes [B8, B9, 49, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\msi.dll!MsiOpenDatabaseW + 1 000007fef2999c71 11 bytes [B8, 39, 46, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\msi.dll!MsiOpenDatabaseA + 1 000007fef2999e9d 11 bytes [B8, 79, 44, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077332b80 6 bytes [48, B8, F9, EF, 5A, 75] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077332b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\atieclxx.exe[1708] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, F1, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes [48, B8, B9, 6C, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes [48, B8, F9, 6A, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1984] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc7156e0 12 bytes [48, B8, 39, E0, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc72010c 12 bytes [48, B8, 79, DE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1984] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc73daa0 12 bytes [48, B8, B9, DC, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077332b80 6 bytes [48, B8, F9, EF, 5A, 75] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077332b88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefc7156e0 12 bytes [48, B8, 39, E0, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefc72010c 12 bytes [48, B8, 79, DE, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefc73daa0 12 bytes [48, B8, B9, DC, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, F1, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes [48, B8, B9, 6C, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes [48, B8, F9, 6A, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1952] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774df9e0 5 bytes JMP 00000001754d6581 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774dfb28 5 bytes JMP 00000001754d5f91 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000774dfc20 5 bytes JMP 00000001754d31d9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfc50 5 bytes JMP 00000001754d15f1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000774dfc80 5 bytes JMP 00000001754d1689 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774dfcb0 5 bytes JMP 00000001754d5ef9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfe14 5 bytes JMP 00000001754d30a9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000774dfe44 5 bytes JMP 00000001754d3309 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000774dff24 5 bytes JMP 00000001754d3271 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000774dffec 5 bytes JMP 00000001754d2ee1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774e0004 5 bytes JMP 00000001754d2db1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774e00b4 5 bytes JMP 00000001754d1ed9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774e01c4 5 bytes JMP 00000001754d2301 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000774e0814 5 bytes JMP 00000001754d2e49 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774e08a4 5 bytes JMP 00000001754d2d19 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774e0df4 5 bytes JMP 00000001754d6619 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000774e1604 5 bytes JMP 00000001754d4ac9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774e1920 5 bytes JMP 00000001754d3141 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774e1be4 5 bytes JMP 00000001754d66b1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000774e1d54 5 bytes JMP 00000001754d3439 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000774e1d70 5 bytes JMP 00000001754d33a1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774f88c4 5 bytes JMP 00000001754d1ab1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077520d3b 5 bytes JMP 00000001754d2009 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007756860f 5 bytes JMP 00000001754d4b61 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007756e8ab 5 bytes JMP 00000001754d1f71 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000765b0e00 5 bytes JMP 00000001754d1da9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000765b1072 5 bytes JMP 00000001754d2a21 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000765b499f 5 bytes JMP 00000001754d25f9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765c3bbb 5 bytes JMP 00000001754d3011 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000765d7327 5 bytes JMP 00000001754d2729 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000765d88da 5 bytes JMP 00000001754d64e9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076632ff1 5 bytes JMP 00000001754d28f1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007665748b 5 bytes JMP 00000001754d46a1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000766574ae 5 bytes JMP 00000001754d47d1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076657859 5 bytes JMP 00000001754d4901 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000766578d2 5 bytes JMP 00000001754d4a31 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000763f8f8d 5 bytes JMP 00000001754d1a19 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000763fc436 5 bytes JMP 00000001754d3b59 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000763feca6 5 bytes JMP 00000001754d3601 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000763ff206 4 bytes JMP 00000001754d2399 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000763ffa89 5 bytes JMP 00000001754d1e41 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076401358 5 bytes JMP 00000001754d3ac1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007640137f 5 bytes JMP 00000001754d3a29 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076401d29 5 bytes JMP 00000001754d1981 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076401e15 5 bytes JMP 00000001754d24c9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076402ab1 5 bytes JMP 00000001754d60c1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076402cd9 5 bytes JMP 00000001754d6029 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076402d17 5 bytes JMP 00000001754d6159 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076402e7a 5 bytes JMP 00000001754d18e9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076403b70 5 bytes JMP 00000001754d2269 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076404496 5 bytes JMP 00000001754d2431 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076404608 5 bytes JMP 00000001754d3569 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076404631 5 bytes JMP 00000001754d2c81 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007640c734 5 bytes JMP 00000001754d27c1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 00000000754d6ca1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 00000000754d1be1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 00000000754d1b49 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007512c9ec 5 bytes JMP 00000000754d3c89 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000075132b70 5 bytes JMP 00000000754d3bf1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007513361c 5 bytes JMP 00000000754d40b1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000075134965 5 bytes JMP 00000000754d6d39 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000751470c4 5 bytes JMP 00000000754d4311 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000751470dc 5 bytes JMP 00000000754d3e51 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000751470f4 5 bytes JMP 00000000754d3ee9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000751631f4 5 bytes JMP 00000000754d3f81 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075163204 5 bytes JMP 00000000754d4019 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075163214 5 bytes JMP 00000000754d3d21 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075163224 5 bytes JMP 00000000754d3db9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075163264 5 bytes JMP 00000000754d4279 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000761b78e2 5 bytes JMP 00000001754d4441 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000761b7bd3 5 bytes JMP 00000001754d43a9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000761b8a29 5 bytes JMP 00000001754d5871 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000761b98fd 5 bytes JMP 00000001754d6321 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000761bb6ed 5 bytes JMP 00000001754d6dd1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000761bd22e 5 bytes JMP 00000001754d5909 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761bee09 5 bytes JMP 00000001754d34d1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000761bffe6 5 bytes JMP 00000001754d61f1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000761c00d9 5 bytes JMP 00000001754d6289 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000761c05ba 5 bytes JMP 00000001754d4571 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000761c0dfb 5 bytes JMP 00000001754d59a1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000761c20ec 5 bytes JMP 00000001754d5d31 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000761c5f74 5 bytes JMP 00000001754d44d9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000761c6285 5 bytes JMP 00000001754d4bf9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761c7603 5 bytes JMP 00000001754d2be9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000761c7aee 5 bytes JMP 00000001754d5c99 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761c835c 5 bytes JMP 00000001754d2b51 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000761dce54 5 bytes JMP 00000001754d5ad1 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000761df52b 5 bytes JMP 00000001754d4c91 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000761df588 5 bytes JMP 00000001754d63b9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000761e10a0 5 bytes JMP 00000001754d5a39 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007620fcd6 5 bytes JMP 00000001754d5b69 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007620fcfa 5 bytes JMP 00000001754d5c01 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000d30179 5 bytes JMP 00000000754d4d29 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\msi.dll!MsiGetComponentPathW + 992 0000000071bc66dd 5 bytes JMP 00000000754d6f01 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\msi.dll!MsiQueryProductStateW 0000000071bd4a16 5 bytes JMP 00000000754d3991 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\msi.dll!MsiInstallProductW 0000000071c6ec2b 5 bytes JMP 00000000754d3861 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\msi.dll!MsiInstallProductA 0000000071c7377e 5 bytes JMP 00000000754d37c9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\msi.dll!MsiQueryProductStateA 0000000071c7f25d 5 bytes JMP 00000000754d38f9 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\msi.dll!MsiOpenDatabaseW 0000000071c95b84 5 bytes JMP 00000000754d3731 .text C:\Windows\SysWOW64\svchost.exe[1692] C:\Windows\SysWOW64\msi.dll!MsiOpenDatabaseA 0000000071c96489 5 bytes JMP 00000000754d3699 .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, F1, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes [48, B8, B9, 6C, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes [48, B8, F9, 6A, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2168] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, F1, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes [48, B8, B9, 6C, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes [48, B8, F9, 6A, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[2364] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, F0, 12, B9, 01] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2436] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007725b7e1 11 bytes [B8, F0, 12, DF, 01, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2948] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 39, BD, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, F9, A9, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes {JMP QWORD [RIP+0x8e0eb20]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077331520 6 bytes {JMP QWORD [RIP+0x8e6eb10]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 39, A8, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773315e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077331800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000773318b0 6 bytes {JMP QWORD [RIP+0x8dce780]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077331e40 6 bytes {JMP QWORD [RIP+0x8dee1f0]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, F9, BE, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes {JMP QWORD [RIP+0x8e8d850]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, B9, C0, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077332b80 6 bytes [48, B8, B9, D5, 5A, 75] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077332b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes {JMP QWORD [RIP+0x90024b0]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, F9, D3, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 39, AF, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, F9, B0, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd3f8ef1 11 bytes {JMP QWORD [RIP+0x87140]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, B9, AB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4e4ea1 11 bytes [B8, B9, DC, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4e55c8 12 bytes {JMP QWORD [RIP+0xfaa68]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4fb85c 12 bytes {JMP QWORD [RIP+0xc47d4]} .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4fb9d0 12 bytes [48, B8, 79, 60, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4fba3c 12 bytes [48, B8, B9, 5E, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes {JMP QWORD [RIP+0x8e0eb20]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077331520 6 bytes {JMP QWORD [RIP+0x8e6eb10]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773315e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077331800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000773318b0 6 bytes {JMP QWORD [RIP+0x8dce780]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077331e40 6 bytes {JMP QWORD [RIP+0x8dee1f0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes {JMP QWORD [RIP+0x8e8d850]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 6 bytes {JMP QWORD [RIP+0x90024b0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd3f9055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, F9, 55, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, F9, 5C, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes {JMP QWORD [RIP+0x8e0eb20]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077331520 6 bytes {JMP QWORD [RIP+0x8e6eb10]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 39, 5B, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773315e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077331800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000773318b0 6 bytes {JMP QWORD [RIP+0x8dce780]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077331e40 6 bytes {JMP QWORD [RIP+0x8dee1f0]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, B9, 5E, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes {JMP QWORD [RIP+0x8e8d850]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, 79, 60, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077332b80 6 bytes [48, B8, B9, 65, 5A, 75] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077332b88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes {JMP QWORD [RIP+0x90024b0]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, F9, 63, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd3f9055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 79, 4B, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, 39, 46, 5A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 79, 44, 5A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, 39, 4D, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, F9, 47, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, B9, 49, 5A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007fef28f5c70 6 bytes {JMP QWORD [RIP+0xbda3c0]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\msi.dll!MsiInstallProductA 000007fef2972a54 6 bytes {JMP QWORD [RIP+0x2dd5dc]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\msi.dll!MsiInstallProductW 000007fef29815fc 6 bytes {JMP QWORD [RIP+0xb1ea34]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fef5a27b34 6 bytes JMP 300030 .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fef5a303c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 0000000004b33030 6 bytes {JMP QWORD [RIP+0xdad000]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\WS2_32.dll!connect + 1 0000000004b345c1 11 bytes {JMP QWORD [RIP+0xc4ba70]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\WS2_32.dll!listen 0000000004b38290 6 bytes {JMP QWORD [RIP+0xd87da0]} .text C:\Windows\Explorer.EXE[2576] C:\Windows\system32\WS2_32.dll!WSAConnect 0000000004b5e0f0 6 bytes {JMP QWORD [RIP+0xc41f40]} .text C:\Program Files\Bitdefender\Bitdefender\bdagent.exe[3644] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007feff5a3030 6 bytes {JMP QWORD [RIP+0xdd000]} .text C:\Program Files\Bitdefender\Bitdefender\bdagent.exe[3644] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff5a45c1 5 bytes {JMP QWORD [RIP+0x7ba70]} .text C:\Program Files\Bitdefender\Bitdefender\bdagent.exe[3644] C:\Windows\system32\WS2_32.dll!listen 000007feff5a8290 6 bytes {JMP QWORD [RIP+0xb7da0]} .text C:\Program Files\Bitdefender\Bitdefender\bdagent.exe[3644] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff5ce0f0 6 bytes {JMP QWORD [RIP+0x71f40]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes {JMP QWORD [RIP+0x8e0eb20]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077331520 6 bytes {JMP QWORD [RIP+0x8e6eb10]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, F0, 12, 3D, 02] .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773315e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077331800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000773318b0 6 bytes {JMP QWORD [RIP+0x8dce780]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077331e40 6 bytes {JMP QWORD [RIP+0x8dee1f0]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes {JMP QWORD [RIP+0x8e8d850]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 6 bytes {JMP QWORD [RIP+0x90024b0]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007725b7e1 11 bytes [B8, F0, 12, 66, 02, 00, 00, ...] .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd3f9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007feff5a3030 6 bytes {JMP QWORD [RIP+0xdd000]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff5a45c1 5 bytes JMP 90ffffe8 .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\system32\WS2_32.dll!listen 000007feff5a8290 6 bytes {JMP QWORD [RIP+0xb7da0]} .text C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[3656] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff5ce0f0 6 bytes JMP 60246489 .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000774dfc20 3 bytes JMP 718a000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 00000000774dfc24 2 bytes JMP 718a000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000774dfc38 3 bytes JMP 7181000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 00000000774dfc3c 2 bytes JMP 7181000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774dfd64 3 bytes JMP 7184000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774dfd68 2 bytes JMP 7184000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774e00b4 3 bytes JMP 7187000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774e00b8 2 bytes JMP 7187000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774e01c4 3 bytes JMP 7190000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774e01c8 2 bytes JMP 7190000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000774e0a44 3 bytes JMP 718d000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000774e0a48 2 bytes JMP 718d000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774e1920 3 bytes JMP 717e000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 00000000774e1924 2 bytes JMP 717e000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765c3bbb 3 bytes JMP 717b000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000765c3bbf 2 bytes JMP 717b000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076402c9e 4 bytes CALL 71af0000 .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761b9679 6 bytes JMP 719f000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761c12a5 6 bytes JMP 7199000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761c3baa 6 bytes JMP 719c000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761c612e 6 bytes JMP 71a2000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!SendInput 00000000761dff4a 3 bytes JMP 71a5000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761dff4e 2 bytes JMP 71a5000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!mouse_event 000000007621027b 6 bytes JMP 71ab000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762102bf 6 bytes JMP 71a8000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000751470c4 6 bytes JMP 7193000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075163264 6 bytes JMP 7196000a .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762e1401 2 bytes JMP 765db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762e1419 2 bytes JMP 765db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762e1431 2 bytes JMP 76658ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762e144a 2 bytes CALL 765b48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762e14dd 2 bytes JMP 766587a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762e14f5 2 bytes JMP 76658978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762e150d 2 bytes JMP 76658698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762e1525 2 bytes JMP 76658a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762e153d 2 bytes JMP 765cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762e1555 2 bytes JMP 765d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762e156d 2 bytes JMP 76658f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762e1585 2 bytes JMP 76658ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762e159d 2 bytes JMP 7665865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762e15b5 2 bytes JMP 765cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762e15cd 2 bytes JMP 765db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762e16b2 2 bytes JMP 76658e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762e16bd 2 bytes JMP 766585f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes [48, B8, F9, 32, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes [48, B8, 39, 31, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077332b80 6 bytes [48, B8, F9, EF, 5A, 75] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077332b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3116] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3f8ef0 12 bytes [48, B8, B9, C7, 5A, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff5a13b1 11 bytes [B8, B9, C0, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!closesocket 000007feff5a18e0 12 bytes [48, B8, F9, BE, 5A, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff5a1bd1 11 bytes [B8, 39, BD, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff5a2201 11 bytes [B8, B9, EA, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff5a23c0 12 bytes [48, B8, 79, A6, 5A, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!connect 000007feff5a45c0 12 bytes [48, B8, 79, 67, 5A, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!send + 1 000007feff5a8001 11 bytes [B8, 79, BB, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff5a8df0 7 bytes [48, B8, F9, A9, 5A, 75, 00] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff5a8df9 3 bytes [00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff5ac090 12 bytes [48, B8, 39, A8, 5A, 75, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff5ade91 11 bytes [B8, B9, E3, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff5adf41 11 bytes [B8, F9, E8, 5A, 75, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff5ce0f1 11 bytes [B8, 39, E7, 5A, 75, 00, 00, ...] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774df9e0 5 bytes JMP 00000001754d6581 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774dfb28 5 bytes JMP 00000001754d5f91 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000774dfc20 5 bytes JMP 00000001754d31d9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000774dfc38 3 bytes JMP 717c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 00000000774dfc3c 2 bytes JMP 717c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfc50 5 bytes JMP 00000001754d15f1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000774dfc80 5 bytes JMP 00000001754d1689 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774dfcb0 5 bytes JMP 00000001754d5ef9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774dfd64 3 bytes JMP 717f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774dfd68 2 bytes JMP 717f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfe14 5 bytes JMP 00000001754d30a9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000774dfe44 5 bytes JMP 00000001754d3309 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000774dff24 5 bytes JMP 00000001754d3271 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000774dffec 5 bytes JMP 00000001754d2ee1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774e0004 5 bytes JMP 00000001754d2db1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774e00b4 5 bytes JMP 00000001754d1ed9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774e01c4 5 bytes JMP 00000001754d2301 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000774e0814 5 bytes JMP 00000001754d2e49 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774e08a4 5 bytes JMP 00000001754d2d19 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000774e0a44 3 bytes JMP 7182000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000774e0a48 2 bytes JMP 7182000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774e0df4 5 bytes JMP 00000001754d6619 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000774e1604 5 bytes JMP 00000001754d4ac9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774e1920 5 bytes JMP 00000001754d3141 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774e1be4 5 bytes JMP 00000001754d66b1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000774e1d54 5 bytes JMP 00000001754d3439 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000774e1d70 5 bytes JMP 00000001754d33a1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000774e1ee8 5 bytes JMP 00000001754d6ca1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774f88c4 5 bytes JMP 00000001754d1ab1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077520d3b 5 bytes JMP 00000001754d2009 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007756860f 5 bytes JMP 00000001754d4b61 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007756e8ab 5 bytes JMP 00000001754d1f71 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000765b0e00 5 bytes JMP 00000001754d1da9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000765b1072 5 bytes JMP 00000001754d2a21 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000765b499f 5 bytes JMP 00000001754d25f9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765c3bbb 5 bytes JMP 00000001754d3011 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000765d7327 5 bytes JMP 00000001754d2729 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000765d88da 5 bytes JMP 00000001754d64e9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076632ff1 5 bytes JMP 00000001754d28f1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007665748b 5 bytes JMP 00000001754d46a1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000766574ae 5 bytes JMP 00000001754d47d1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076657859 5 bytes JMP 00000001754d4901 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000766578d2 5 bytes JMP 00000001754d4a31 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000763f8f8d 5 bytes JMP 00000001754d1a19 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000763fc436 5 bytes JMP 00000001754d3b59 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000763feca6 5 bytes JMP 00000001754d3601 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000763ff206 4 bytes JMP 00000001754d2399 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000763ffa89 5 bytes JMP 00000001754d1e41 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076401358 5 bytes JMP 00000001754d3ac1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007640137f 5 bytes JMP 00000001754d3a29 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076401d29 5 bytes JMP 00000001754d1981 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076401e15 5 bytes JMP 00000001754d24c9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076402ab1 5 bytes JMP 00000001754d60c1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076402c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076402cd9 5 bytes JMP 00000001754d6029 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076402d17 5 bytes JMP 00000001754d6159 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076402e7a 5 bytes JMP 00000001754d18e9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076403b70 5 bytes JMP 00000001754d2269 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076404496 5 bytes JMP 00000001754d2431 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076404608 5 bytes JMP 00000001754d3569 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076404631 5 bytes JMP 00000001754d2c81 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007640c734 5 bytes JMP 00000001754d27c1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 00000000754d6e69 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 00000000754d1be1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 00000000754d1b49 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000761b78e2 5 bytes JMP 00000001754d4441 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000761b7bd3 5 bytes JMP 00000001754d43a9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000761b8a29 5 bytes JMP 00000001754d5871 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761b9679 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000761b98fd 5 bytes JMP 00000001754d6321 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000761bb6ed 5 bytes JMP 00000001754d6f01 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000761bd22e 5 bytes JMP 00000001754d5909 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761bee09 5 bytes JMP 00000001754d34d1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000761bffe6 5 bytes JMP 00000001754d61f1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000761c00d9 5 bytes JMP 00000001754d6289 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000761c05ba 5 bytes JMP 00000001754d4571 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000761c0dfb 5 bytes JMP 00000001754d59a1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761c12a5 5 bytes JMP 00000001754d6dd1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000761c20ec 5 bytes JMP 00000001754d5d31 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761c3baa 5 bytes JMP 00000001754d6d39 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000761c5f74 5 bytes JMP 00000001754d44d9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761c612e 6 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000761c6285 5 bytes JMP 00000001754d4bf9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761c7603 5 bytes JMP 00000001754d2be9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000761c7aee 5 bytes JMP 00000001754d5c99 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761c835c 5 bytes JMP 00000001754d2b51 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000761dce54 5 bytes JMP 00000001754d5ad1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000761df52b 5 bytes JMP 00000001754d4c91 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000761df588 5 bytes JMP 00000001754d63b9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SendInput 00000000761dff4a 3 bytes JMP 719f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761dff4e 2 bytes JMP 719f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000761e10a0 5 bytes JMP 00000001754d5a39 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007620fcd6 5 bytes JMP 00000001754d5b69 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007620fcfa 5 bytes JMP 00000001754d5c01 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!mouse_event 000000007621027b 6 bytes JMP 71a5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762102bf 6 bytes JMP 71a2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007512c9ec 5 bytes JMP 00000000754d3c89 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000075132b70 5 bytes JMP 00000000754d3bf1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007513361c 5 bytes JMP 00000000754d40b1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000075134965 5 bytes JMP 00000000754d6f99 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000751470c4 5 bytes JMP 00000000754d4311 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000751470dc 5 bytes JMP 00000000754d3e51 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000751470f4 5 bytes JMP 00000000754d3ee9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000751631f4 5 bytes JMP 00000000754d3f81 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075163204 5 bytes JMP 00000000754d4019 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075163214 5 bytes JMP 00000000754d3d21 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075163224 5 bytes JMP 00000000754d3db9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075163264 5 bytes JMP 00000000754d4279 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000000660179 5 bytes JMP 00000000754d4d29 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762e1401 2 bytes JMP 765db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762e1419 2 bytes JMP 765db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762e1431 2 bytes JMP 76658ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762e144a 2 bytes CALL 765b48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762e14dd 2 bytes JMP 766587a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762e14f5 2 bytes JMP 76658978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762e150d 2 bytes JMP 76658698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762e1525 2 bytes JMP 76658a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762e153d 2 bytes JMP 765cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762e1555 2 bytes JMP 765d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762e156d 2 bytes JMP 76658f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762e1585 2 bytes JMP 76658ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762e159d 2 bytes JMP 7665865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762e15b5 2 bytes JMP 765cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762e15cd 2 bytes JMP 765db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762e16b2 2 bytes JMP 76658e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762e16bd 2 bytes JMP 766585f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 00000000766cc637 5 bytes JMP 00000001754d4149 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 00000000766ccb03 5 bytes JMP 00000001754d21d1 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4448] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000076757664 5 bytes JMP 00000001754d2ab9 .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000773192d1 5 bytes [B8, 39, 69, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000773192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773313a0 6 bytes [48, B8, 79, D7, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000773313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077331470 6 bytes [48, B8, 39, C4, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077331478 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077331510 6 bytes {JMP QWORD [RIP+0x8e0eb20]} .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077331518 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077331520 6 bytes {JMP QWORD [RIP+0x8e6eb10]} .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 6 bytes [48, B8, 39, 1C, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077331538 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077331550 6 bytes [48, B8, F9, 1D, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077331558 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077331570 6 bytes [48, B8, 79, C2, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077331578 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773315e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 6 bytes [48, B8, 79, 2F, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077331658 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077331670 6 bytes [48, B8, 79, 36, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077331678 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 6 bytes [48, B8, B9, 34, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077331708 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077331780 6 bytes [48, B8, 39, 2A, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077331788 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077331790 6 bytes [48, B8, B9, 26, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077331798 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077331800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000773318b0 6 bytes {JMP QWORD [RIP+0x8dce780]} .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077331cd0 6 bytes [48, B8, 79, 28, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077331cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 6 bytes [48, B8, F9, 24, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077331d38 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077331e40 6 bytes {JMP QWORD [RIP+0x8dee1f0]} .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773320a0 6 bytes [48, B8, 39, D9, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000773320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000773325e0 6 bytes [48, B8, 79, 83, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000773325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 6 bytes {JMP QWORD [RIP+0x8e8d850]} .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000773327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773329a0 6 bytes [48, B8, F9, DA, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000773329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077332a80 6 bytes [48, B8, 79, 3D, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077332a88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077332a90 6 bytes [48, B8, B9, 3B, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077332a98 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077332b80 6 bytes [48, B8, F9, EF, 5A, 75] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077332b88 4 bytes [00, 00, 50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000773a3201 11 bytes [B8, 39, 85, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, B9, D5, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 5A, 75, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes {JMP QWORD [RIP+0x90024b0]} .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, EE, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 5A, 75, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 5A, 75, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd3f1861 11 bytes [B8, 79, 52, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd3f2db1 11 bytes [B8, 79, C9, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd3f3461 11 bytes [B8, 39, CB, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd3f8ef1 11 bytes JMP 44 .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd3f94c0 12 bytes [48, B8, B9, 50, 5A, 75, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd3fbfd1 11 bytes [B8, F9, C5, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd402af1 11 bytes [B8, F9, 4E, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd424350 12 bytes [48, B8, B9, 42, 5A, 75, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd432871 8 bytes [B8, 39, 23, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd43287a 2 bytes [50, C3] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd4328b1 11 bytes [B8, F9, 40, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefed4642d 11 bytes [B8, 39, 5B, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefed46484 12 bytes [48, B8, F9, 55, 5A, 75, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefed46519 11 bytes [B8, 39, 62, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefed46c34 12 bytes [48, B8, 39, 54, 5A, 75, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefed47ab5 11 bytes [B8, F9, 5C, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefed48b01 11 bytes [B8, B9, 57, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefed48c39 11 bytes [B8, 79, 59, 5A, 75, 00, 00, ...] .text C:\Windows\notepad.exe[5588] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fef5a27b34 6 bytes JMP 300030 .text C:\Windows\notepad.exe[5588] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fef5a303c0 6 bytes {JMP QWORD [RIP+0x9fc70]} .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000774df8f0 5 bytes JMP 00000001754d69a9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774df9e0 5 bytes JMP 00000001754d6581 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774dfb28 5 bytes JMP 00000001754d5f91 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000774dfc20 5 bytes JMP 00000001754d31d9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000774dfc38 3 bytes JMP 7182000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 00000000774dfc3c 2 bytes JMP 7182000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfc50 5 bytes JMP 00000001754d15f1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000774dfc80 5 bytes JMP 00000001754d1689 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774dfcb0 5 bytes JMP 00000001754d5ef9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774dfd64 3 bytes JMP 7185000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774dfd68 2 bytes JMP 7185000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfe14 5 bytes JMP 00000001754d30a9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000774dfe44 5 bytes JMP 00000001754d3309 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000774dff24 5 bytes JMP 00000001754d3271 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000774dffec 5 bytes JMP 00000001754d2ee1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774e0004 5 bytes JMP 00000001754d2db1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774e00b4 5 bytes JMP 00000001754d1ed9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774e01c4 5 bytes JMP 00000001754d2301 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000774e0814 5 bytes JMP 00000001754d2e49 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774e08a4 5 bytes JMP 00000001754d2d19 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000774e0a44 3 bytes JMP 7188000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000774e0a48 2 bytes JMP 7188000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774e0df4 5 bytes JMP 00000001754d6619 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000774e1604 5 bytes JMP 00000001754d4ac9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774e1920 5 bytes JMP 00000001754d3141 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774e1be4 5 bytes JMP 00000001754d66b1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000774e1d54 5 bytes JMP 00000001754d3439 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000774e1d70 5 bytes JMP 00000001754d33a1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000774e1ee8 5 bytes JMP 00000001754d6d39 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000774f88c4 5 bytes JMP 00000001754d1ab1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077520d3b 5 bytes JMP 00000001754d2009 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007756860f 5 bytes JMP 00000001754d4b61 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007756e8ab 5 bytes JMP 00000001754d1f71 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000765b0e00 5 bytes JMP 00000001754d1da9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000765b1072 5 bytes JMP 00000001754d2a21 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000765b499f 5 bytes JMP 00000001754d25f9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765c3bbb 5 bytes JMP 00000001754d3011 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000765d7327 5 bytes JMP 00000001754d2729 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000765d88da 5 bytes JMP 00000001754d64e9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076632ff1 5 bytes JMP 00000001754d28f1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007665748b 5 bytes JMP 00000001754d46a1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000766574ae 5 bytes JMP 00000001754d47d1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076657859 5 bytes JMP 00000001754d4901 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000766578d2 5 bytes JMP 00000001754d4a31 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000763f8f8d 5 bytes JMP 00000001754d1a19 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000763fc436 5 bytes JMP 00000001754d3b59 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000763feca6 5 bytes JMP 00000001754d3601 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000763ff206 4 bytes JMP 00000001754d2399 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000763ffa89 5 bytes JMP 00000001754d1e41 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076401358 5 bytes JMP 00000001754d3ac1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 000000007640137f 5 bytes JMP 00000001754d3a29 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076401d29 5 bytes JMP 00000001754d1981 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076401e15 5 bytes JMP 00000001754d24c9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076402ab1 5 bytes JMP 00000001754d60c1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076402c9e 4 bytes CALL 71af0000 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076402cd9 5 bytes JMP 00000001754d6029 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076402d17 5 bytes JMP 00000001754d6159 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076402e7a 5 bytes JMP 00000001754d18e9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076403b70 5 bytes JMP 00000001754d2269 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076404496 5 bytes JMP 00000001754d2431 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076404608 5 bytes JMP 00000001754d3569 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076404631 5 bytes JMP 00000001754d2c81 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007640c734 5 bytes JMP 00000001754d27c1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000761b78e2 5 bytes JMP 00000001754d4441 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000761b7bd3 5 bytes JMP 00000001754d43a9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000761b8a29 5 bytes JMP 00000001754d5871 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761b9679 6 bytes JMP 719f000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000761b98fd 5 bytes JMP 00000001754d6321 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000761bb6ed 5 bytes JMP 00000001754d6f01 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000761bd22e 5 bytes JMP 00000001754d5909 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761bee09 5 bytes JMP 00000001754d34d1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000761bffe6 5 bytes JMP 00000001754d61f1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000761c00d9 5 bytes JMP 00000001754d6289 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000761c05ba 5 bytes JMP 00000001754d4571 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000761c0dfb 5 bytes JMP 00000001754d59a1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761c12a5 5 bytes JMP 00000001754d6e69 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000761c20ec 5 bytes JMP 00000001754d5d31 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761c3baa 5 bytes JMP 00000001754d6dd1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000761c5f74 5 bytes JMP 00000001754d44d9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761c612e 6 bytes JMP 71a2000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000761c6285 5 bytes JMP 00000001754d4bf9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761c7603 5 bytes JMP 00000001754d2be9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000761c7aee 5 bytes JMP 00000001754d5c99 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761c835c 5 bytes JMP 00000001754d2b51 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000761dce54 5 bytes JMP 00000001754d5ad1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000761df52b 5 bytes JMP 00000001754d4c91 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000761df588 5 bytes JMP 00000001754d63b9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SendInput 00000000761dff4a 3 bytes JMP 71a5000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761dff4e 2 bytes JMP 71a5000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000761e10a0 5 bytes JMP 00000001754d5a39 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007620fcd6 5 bytes JMP 00000001754d5b69 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007620fcfa 5 bytes JMP 00000001754d5c01 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!mouse_event 000000007621027b 6 bytes JMP 71ab000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762102bf 6 bytes JMP 71a8000a .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074f0a472 5 bytes JMP 00000000754d6f99 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074f127ce 5 bytes JMP 00000000754d1be1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074f1e6cf 5 bytes JMP 00000000754d1b49 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007512c9ec 5 bytes JMP 00000000754d3c89 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000075132b70 5 bytes JMP 00000000754d3bf1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007513361c 5 bytes JMP 00000000754d40b1 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000075134965 5 bytes JMP 00000000754d7031 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000751470c4 5 bytes JMP 00000000754d4311 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000751470dc 5 bytes JMP 00000000754d3e51 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000751470f4 5 bytes JMP 00000000754d3ee9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000751631f4 5 bytes JMP 00000000754d3f81 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075163204 5 bytes JMP 00000000754d4019 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075163214 5 bytes JMP 00000000754d3d21 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075163224 5 bytes JMP 00000000754d3db9 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075163264 5 bytes JMP 00000000754d4279 .text C:\Users\Bieleń\Desktop\bd906o1w.exe[5844] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000006a0179 5 bytes JMP 00000000754d4d29 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4904:5004] 00000000763d7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4904:3808] 000000006c967712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4904:4956] 0000000077512e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4904:828] 0000000077513e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4904:1216] 0000000077513e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4904:5144] 0000000077513e85 ---- EOF - GMER 2.1 ----