GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-12 13:02:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006f STM35004 rev.CC34 465,76GB Running: z3k8tyry.exe; Driver: D:\Users\Grzegorz\AppData\Local\Temp\pgddqpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG D:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff800033f8000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG D:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff800033f802f 23 bytes [00, 00, 10, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text D:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[860] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, F0, 12, A5, 01] .text D:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[860] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[860] D:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007759b7e1 11 bytes [B8, F0, 12, 1B, 01, 00, 00, ...] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, 39, 69, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077671330 6 bytes [48, B8, B9, EA, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077671338 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776713a0 6 bytes [48, B8, 39, BD, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776713a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, A9, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, A8, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, 39, E7, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, 79, EC, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077671800 6 bytes [48, B8, F9, E8, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077671808 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, F9, EF, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, 79, E5, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, F9, BE, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776725e0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776725e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, B9, C0, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 39, EE, E5, 75] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[1684] D:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000776e3201 11 bytes [B8, 39, 85, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[1684] d:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefca056e0 12 bytes [48, B8, F9, C5, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[1684] d:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefca1010c 12 bytes [48, B8, 39, C4, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[1684] d:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefca2daa0 12 bytes [48, B8, 79, C2, E5, 75, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, F9, 55, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, 5C, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, 5B, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, F9, 7F, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, B9, 81, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, 39, 85, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, 39, 7E, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, B9, 5E, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, 79, 60, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077672b80 6 bytes [48, B8, 79, 75, E5, 75] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077672b88 4 bytes [00, 00, 50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077501c10 12 bytes [48, B8, F9, 39, E5, 75, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077502b61 8 bytes [B8, 39, 69, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077502b6a 2 bytes [50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007751db80 12 bytes [48, B8, B9, 2D, E5, 75, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077520931 11 bytes [B8, B9, 73, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007758f491 11 bytes [B8, 39, 70, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007758f691 11 bytes [B8, B9, 6C, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007758f6c1 8 bytes [B8, B9, 65, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007758f6ca 2 bytes [50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd704350 12 bytes [48, B8, B9, 42, E5, 75, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd710c11 11 bytes [B8, 39, 62, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd712871 8 bytes [B8, 39, 23, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd71287a 2 bytes [50, C3] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7128b1 11 bytes [B8, F9, 40, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe81642d 11 bytes [B8, 79, 4B, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe816484 12 bytes [48, B8, 39, 46, E5, 75, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe816519 11 bytes [B8, 79, 52, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe816c34 12 bytes [48, B8, 79, 44, E5, 75, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe817ab5 11 bytes [B8, 39, 4D, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe818b01 11 bytes [B8, F9, 47, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe818c39 11 bytes [B8, B9, 49, E5, 75, 00, 00, ...] .text D:\Windows\Explorer.EXE[2028] D:\Windows\system32\WS2_32.dll!connect 000007feff4145c0 12 bytes [48, B8, 39, 54, E5, 75, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, 39, 69, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077671330 6 bytes [48, B8, F9, EF, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077671338 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776713a0 6 bytes [48, B8, 39, BD, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776713a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, A9, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, A8, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, 79, EC, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, B9, F1, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077671800 6 bytes [48, B8, 39, EE, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077671808 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, 39, F5, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, B9, EA, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, F9, BE, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776725e0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776725e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, B9, C0, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 79, F3, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077672b80 6 bytes [48, B8, 79, E5, E5, 75] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077672b88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000776e3201 11 bytes [B8, 39, 85, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd6d1861 11 bytes [B8, 79, 52, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd6d2db1 11 bytes [B8, 39, AF, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd6d3461 11 bytes [B8, F9, B0, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd6d8ef0 12 bytes [48, B8, 79, AD, E5, 75, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd6d94c0 12 bytes [48, B8, B9, 50, E5, 75, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd6dbfd1 11 bytes [B8, B9, AB, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd6e2af1 11 bytes [B8, F9, 4E, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd704350 12 bytes [48, B8, B9, 42, E5, 75, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd710c11 11 bytes [B8, 79, C9, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd712871 8 bytes [B8, 39, 23, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd71287a 2 bytes [50, C3] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7128b1 11 bytes [B8, F9, 40, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe81642d 11 bytes [B8, 39, 5B, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe816484 12 bytes [48, B8, F9, 55, E5, 75, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe816519 11 bytes [B8, 39, 62, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe816c34 12 bytes [48, B8, 39, 54, E5, 75, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe817ab5 11 bytes [B8, F9, 5C, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe818b01 11 bytes [B8, B9, 57, E5, 75, 00, 00, ...] .text D:\Windows\system32\taskhost.exe[2068] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe818c39 11 bytes [B8, 79, 59, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, 39, 69, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077671330 6 bytes [48, B8, B9, EA, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077671338 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776713a0 6 bytes [48, B8, 39, BD, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776713a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, A9, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, A8, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, 39, E7, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, 79, EC, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077671800 6 bytes [48, B8, F9, E8, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077671808 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, F9, EF, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, 79, E5, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, F9, BE, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776725e0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776725e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, B9, C0, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 39, EE, E5, 75] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000776e3201 11 bytes [B8, 39, 85, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd6d1861 11 bytes [B8, 79, 52, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd6d2db1 11 bytes [B8, 39, AF, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd6d3461 11 bytes [B8, F9, B0, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd6d8ef0 12 bytes [48, B8, 79, AD, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd6d94c0 12 bytes [48, B8, B9, 50, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd6dbfd1 11 bytes [B8, B9, AB, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd6e2af1 11 bytes [B8, F9, 4E, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd704350 12 bytes [48, B8, B9, 42, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd710c11 11 bytes [B8, 79, C9, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd712871 8 bytes [B8, 39, 23, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd71287a 2 bytes [50, C3] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7128b1 11 bytes [B8, F9, 40, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe81642d 11 bytes [B8, 39, 5B, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe816484 12 bytes [48, B8, F9, 55, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe816519 11 bytes [B8, 39, 62, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe816c34 12 bytes [48, B8, 39, 54, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe817ab5 11 bytes [B8, F9, 5C, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe818b01 11 bytes [B8, B9, 57, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2160] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe818c39 11 bytes [B8, 79, 59, E5, 75, 00, 00, ...] .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000772e0e00 5 bytes JMP 00000001746b1da9 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000772e1072 5 bytes JMP 00000001746b2a21 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000772e499f 5 bytes JMP 00000001746b25f9 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000772f3bbb 5 bytes JMP 00000001746b3011 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000772f9aa4 5 bytes JMP 00000001746b6581 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000772f9b05 5 bytes JMP 00000001746b6321 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000077307327 5 bytes JMP 00000001746b2729 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!Process32NextW 00000000773088da 5 bytes JMP 00000001746b5c01 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007730ccb1 5 bytes JMP 00000001746b61f1 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007730ccd1 5 bytes JMP 00000001746b6451 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!WinExec 0000000077362ff1 5 bytes JMP 00000001746b28f1 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007738748b 5 bytes JMP 00000001746b46a1 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000773874ae 5 bytes JMP 00000001746b47d1 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000077387859 5 bytes JMP 00000001746b4901 .text D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2296] D:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000773878d2 5 bytes JMP 00000001746b4a31 .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd6d1861 11 bytes [B8, 79, 52, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd6d2db1 11 bytes [B8, 39, AF, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd6d3461 11 bytes [B8, F9, B0, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd6d8ef0 12 bytes [48, B8, 79, AD, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd6d94c0 12 bytes [48, B8, B9, 50, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd6dbfd1 11 bytes [B8, B9, AB, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd6e2af1 11 bytes [B8, F9, 4E, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd704350 12 bytes [48, B8, B9, 42, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd710c11 11 bytes [B8, 79, C9, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd712871 8 bytes [B8, 39, 23, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd71287a 2 bytes [50, C3] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7128b1 11 bytes [B8, F9, 40, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe81642d 11 bytes [B8, 39, 5B, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe816484 12 bytes [48, B8, F9, 55, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe816519 11 bytes [B8, 39, 62, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe816c34 12 bytes [48, B8, 39, 54, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe817ab5 11 bytes [B8, F9, 5C, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe818b01 11 bytes [B8, B9, 57, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe818c39 11 bytes [B8, 79, 59, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff4113b1 11 bytes [B8, 79, A6, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!closesocket 000007feff4118e0 12 bytes [48, B8, B9, A4, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff411bd1 11 bytes [B8, F9, A2, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff412201 11 bytes [B8, 39, E0, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff4123c0 12 bytes [48, B8, 39, 8C, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!connect 000007feff4145c0 12 bytes [48, B8, 79, 67, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!send + 1 000007feff418001 11 bytes [B8, 39, A1, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!gethostbyname 000007feff418df0 7 bytes [48, B8, B9, 8F, E5, 75, 00] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff418df9 3 bytes [00, 50, C3] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff41c090 12 bytes [48, B8, F9, 8D, E5, 75, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!socket + 1 000007feff41de91 11 bytes [B8, 39, D9, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!recv + 1 000007feff41df41 11 bytes [B8, 79, DE, E5, 75, 00, 00, ...] .text D:\Windows\system32\svchost.exe[2456] D:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff43e0f1 11 bytes [B8, B9, DC, E5, 75, 00, 00, ...] .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007781fb28 5 bytes JMP 00000001746b2be9 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007781fc20 5 bytes JMP 00000001746b1da9 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007781fc50 5 bytes JMP 00000001746b15f1 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007781fc80 5 bytes JMP 00000001746b1689 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007781fcb0 5 bytes JMP 00000001746b2b51 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007781fdc8 5 bytes JMP 00000001746b37c9 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007781fe14 5 bytes JMP 00000001746b1c79 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007781fe44 5 bytes JMP 00000001746b1ed9 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007781ff24 5 bytes JMP 00000001746b1e41 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007781ffa4 5 bytes JMP 00000001746b3861 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007781ffec 5 bytes JMP 00000001746b1ab1 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077820004 5 bytes JMP 00000001746b1981 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778201c4 5 bytes JMP 00000001746b3991 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007782079c 5 bytes JMP 00000001746b3731 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077820814 5 bytes JMP 00000001746b1a19 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778208a4 5 bytes JMP 00000001746b18e9 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077820df4 5 bytes JMP 00000001746b2c81 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077821920 5 bytes JMP 00000001746b1d11 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077821be4 5 bytes JMP 00000001746b2d19 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077821d54 5 bytes JMP 00000001746b2139 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077821d70 5 bytes JMP 00000001746b20a1 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077821d8c 5 bytes JMP 00000001746b38f9 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077821ee8 5 bytes JMP 00000001746b3439 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077860d3b 5 bytes JMP 00000001746b2989 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000772e0e00 5 bytes JMP 00000001746b33a1 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000772f3bbb 5 bytes JMP 00000001746b1be1 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000772f9aa4 5 bytes JMP 00000001746b3271 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000772f9b05 5 bytes JMP 00000001746b3011 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000077307327 5 bytes JMP 00000001746b2009 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007730ccb1 5 bytes JMP 00000001746b2ee1 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007730ccd1 5 bytes JMP 00000001746b3141 .text D:\Program Files (x86)\Skype\Phone\Skype.exe[3004] D:\Windows\syswow64\WS2_32.dll!connect 00000000753d6bdd 5 bytes JMP 00000001746b28f1 .text D:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3064] D:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007759b7e1 11 bytes [B8, F0, 12, 21, 02, 00, 00, ...] .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007781f928 5 bytes JMP 00000001746b6c09 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtClose 000000007781f9e0 5 bytes JMP 00000001746b5c99 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007781fb28 5 bytes JMP 00000001746b56a9 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007781fc20 5 bytes JMP 00000001746b31d9 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007781fc50 5 bytes JMP 00000001746b15f1 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007781fc80 5 bytes JMP 00000001746b1689 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007781fcb0 5 bytes JMP 00000001746b5611 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007781fdc8 5 bytes JMP 00000001746b6b71 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007781fe14 5 bytes JMP 00000001746b30a9 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007781fe44 5 bytes JMP 00000001746b3309 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007781ff24 5 bytes JMP 00000001746b3271 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007781ffa4 5 bytes JMP 00000001746b6ca1 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007781ffec 5 bytes JMP 00000001746b2ee1 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077820004 5 bytes JMP 00000001746b2db1 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778200b4 5 bytes JMP 00000001746b1ed9 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778201c4 5 bytes JMP 00000001746b2301 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007782079c 5 bytes JMP 00000001746b6ad9 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077820814 5 bytes JMP 00000001746b2e49 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778208a4 5 bytes JMP 00000001746b2d19 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077820df4 5 bytes JMP 00000001746b5d31 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077821604 5 bytes JMP 00000001746b4ac9 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077821920 5 bytes JMP 00000001746b3141 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077821be4 5 bytes JMP 00000001746b5dc9 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077821d54 5 bytes JMP 00000001746b3439 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077821d70 5 bytes JMP 00000001746b33a1 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077821d8c 5 bytes JMP 00000001746b6d39 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077821ee8 5 bytes JMP 00000001746b6911 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778388c4 5 bytes JMP 00000001746b1ab1 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077860d3b 5 bytes JMP 00000001746b2009 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778a860f 5 bytes JMP 00000001746b4b61 .text D:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3280] D:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778ae8ab 5 bytes JMP 00000001746b1f71 .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd6d1861 11 bytes [B8, 79, 52, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd6d2db1 11 bytes [B8, 39, AF, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd6d3461 11 bytes [B8, F9, B0, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd6d8ef0 12 bytes [48, B8, 79, AD, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd6d94c0 12 bytes [48, B8, B9, 50, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd6dbfd1 11 bytes [B8, B9, AB, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd6e2af1 11 bytes [B8, F9, 4E, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd704350 12 bytes [48, B8, B9, 42, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd710c11 11 bytes [B8, 79, C9, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd712871 8 bytes [B8, 39, 23, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd71287a 2 bytes [50, C3] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7128b1 11 bytes [B8, F9, 40, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe81642d 11 bytes [B8, 39, 5B, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe816484 12 bytes [48, B8, F9, 55, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe816519 11 bytes [B8, 39, 62, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe816c34 12 bytes [48, B8, 39, 54, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe817ab5 11 bytes [B8, F9, 5C, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe818b01 11 bytes [B8, B9, 57, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe818c39 11 bytes [B8, 79, 59, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff4113b1 11 bytes [B8, 79, A6, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!closesocket 000007feff4118e0 12 bytes [48, B8, B9, A4, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff411bd1 11 bytes [B8, F9, A2, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff412201 11 bytes [B8, 39, E0, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff4123c0 12 bytes [48, B8, 39, 8C, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!connect 000007feff4145c0 12 bytes [48, B8, 79, 67, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!send + 1 000007feff418001 11 bytes [B8, 39, A1, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!gethostbyname 000007feff418df0 7 bytes [48, B8, B9, 8F, E5, 75, 00] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff418df9 3 bytes [00, 50, C3] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff41c090 12 bytes [48, B8, F9, 8D, E5, 75, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!socket + 1 000007feff41de91 11 bytes [B8, 39, D9, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!recv + 1 000007feff41df41 11 bytes [B8, 79, DE, E5, 75, 00, 00, ...] .text D:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicatorCom.exe[3780] D:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff43e0f1 11 bytes [B8, B9, DC, E5, 75, 00, 00, ...] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, 39, 69, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077671330 6 bytes [48, B8, F9, EF, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077671338 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776713a0 6 bytes [48, B8, 39, BD, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776713a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, A9, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, A8, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, 79, EC, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, B9, F1, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077671800 6 bytes [48, B8, 39, EE, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077671808 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, 39, F5, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, B9, EA, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, F9, BE, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776725e0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776725e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, B9, C0, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 79, F3, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077672b80 6 bytes [48, B8, 79, E5, E5, 75] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077672b88 4 bytes [00, 00, 50, C3] .text D:\Windows\system32\SearchIndexer.exe[4860] D:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000776e3201 11 bytes [B8, 39, 85, E5, 75, 00, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff4113b1 11 bytes [B8, 79, A6, E5, 75, 00, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!closesocket 000007feff4118e0 12 bytes [48, B8, B9, A4, E5, 75, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff411bd1 11 bytes [B8, F9, A2, E5, 75, 00, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff412201 11 bytes [B8, 39, E0, E5, 75, 00, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff4123c0 12 bytes [48, B8, 39, 8C, E5, 75, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!connect 000007feff4145c0 12 bytes [48, B8, 79, 67, E5, 75, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!send + 1 000007feff418001 11 bytes [B8, 39, A1, E5, 75, 00, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!gethostbyname 000007feff418df0 7 bytes [48, B8, B9, 8F, E5, 75, 00] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff418df9 3 bytes [00, 50, C3] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff41c090 12 bytes [48, B8, F9, 8D, E5, 75, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!socket + 1 000007feff41de91 11 bytes [B8, 39, D9, E5, 75, 00, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!recv + 1 000007feff41df41 11 bytes [B8, 79, DE, E5, 75, 00, 00, ...] .text D:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5072] D:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff43e0f1 11 bytes [B8, B9, DC, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, 39, 69, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077671330 6 bytes [48, B8, F9, EF, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077671338 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776713a0 6 bytes [48, B8, 39, BD, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776713a8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, A9, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, A8, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, 79, EC, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, B9, F1, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077671800 6 bytes [48, B8, 39, EE, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077671808 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, 39, F5, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, B9, EA, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, F9, BE, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776725e0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776725e8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, B9, C0, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 79, F3, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077672b80 6 bytes [48, B8, 79, E5, E5, 75] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077672b88 4 bytes [00, 00, 50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000776e3201 11 bytes [B8, 39, 85, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000077501b21 11 bytes [B8, 79, BB, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077501c10 12 bytes [48, B8, F9, 39, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000077502b61 8 bytes [B8, 79, D0, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000077502b6a 2 bytes [50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007751db80 12 bytes [48, B8, B9, 2D, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077520931 11 bytes [B8, B9, E3, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775552f1 11 bytes [B8, B9, 7A, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077555311 11 bytes [B8, 39, 77, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!ReadConsoleW 000000007756a5e0 12 bytes [48, B8, B9, 81, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!ReadConsoleA 000000007756a6f0 12 bytes [48, B8, 39, 7E, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007758f491 11 bytes [B8, 79, D7, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007758f691 11 bytes [B8, F9, D3, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007758f6c1 8 bytes [B8, F9, CC, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007758f6ca 2 bytes [50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd6d1861 11 bytes [B8, 79, 52, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd6d2db1 11 bytes [B8, 39, AF, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd6d3461 11 bytes [B8, F9, B0, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd6d8ef0 12 bytes [48, B8, 79, AD, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd6d94c0 12 bytes [48, B8, B9, 50, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd6dbfd1 11 bytes [B8, B9, AB, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd6e2af1 11 bytes [B8, F9, 4E, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd704350 12 bytes [48, B8, B9, 42, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd710c11 11 bytes [B8, 79, C9, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd712871 8 bytes [B8, 39, 23, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd71287a 2 bytes [50, C3] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7128b1 11 bytes [B8, F9, 40, E5, 75, 00, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007feff745570 12 bytes [48, B8, B9, 65, E5, 75, 00, ...] .text D:\Program Files\Windows Media Player\wmpnetwk.exe[4872] D:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007feff773681 11 bytes [B8, F9, 63, E5, 75, 00, 00, ...] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, 39, 69, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077671330 6 bytes [48, B8, F9, EF, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077671338 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776713a0 6 bytes [48, B8, 39, BD, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776713a8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, A9, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, A8, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, 79, EC, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, B9, F1, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077671800 6 bytes [48, B8, 39, EE, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077671808 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, 39, F5, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, B9, EA, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, F9, BE, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776725e0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776725e8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, B9, C0, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 79, F3, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077672b80 6 bytes [48, B8, 79, E5, E5, 75] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077672b88 4 bytes [00, 00, 50, C3] .text D:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5240] D:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000776e3201 11 bytes [B8, 39, 85, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776592d1 5 bytes [B8, 39, 69, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776592d7 5 bytes [00, 00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077671330 6 bytes [48, B8, B9, EA, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077671338 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776713a0 6 bytes [48, B8, 39, BD, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776713a8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077671470 6 bytes [48, B8, F9, A9, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077671478 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077671510 6 bytes [48, B8, F9, 32, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077671518 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077671530 6 bytes [48, B8, 39, 1C, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077671538 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077671550 6 bytes [48, B8, F9, 1D, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077671558 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077671570 6 bytes [48, B8, 39, A8, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077671578 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077671620 6 bytes [48, B8, 39, E7, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077671628 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077671650 6 bytes [48, B8, 79, 2F, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077671658 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077671670 6 bytes [48, B8, 79, 36, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077671678 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077671700 6 bytes [48, B8, B9, 34, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077671708 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077671750 6 bytes [48, B8, 79, EC, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077671758 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077671780 6 bytes [48, B8, 39, 2A, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077671788 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077671790 6 bytes [48, B8, B9, 26, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077671798 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077671800 6 bytes [48, B8, F9, E8, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077671808 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776718b0 6 bytes [48, B8, F9, EF, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776718b8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077671c80 6 bytes [48, B8, 79, E5, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077671c88 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077671cd0 6 bytes [48, B8, 79, 28, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077671cd8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077671d30 6 bytes [48, B8, F9, 24, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077671d38 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776720a0 6 bytes [48, B8, F9, BE, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776720a8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776725e0 6 bytes [48, B8, 79, 83, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776725e8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776727e0 6 bytes [48, B8, 39, 31, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776727e8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776729a0 6 bytes [48, B8, B9, C0, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776729a8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077672a80 6 bytes [48, B8, 79, 3D, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077672a88 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077672a90 6 bytes [48, B8, B9, 3B, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077672a98 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077672aa0 6 bytes [48, B8, 39, EE, E5, 75] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077672aa8 4 bytes [00, 00, 50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000776e3201 11 bytes [B8, 39, 85, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd6d1861 11 bytes [B8, 79, 52, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd6d2db1 11 bytes [B8, 39, AF, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd6d3461 11 bytes [B8, F9, B0, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd6d8ef0 12 bytes [48, B8, 79, AD, E5, 75, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd6d94c0 12 bytes [48, B8, B9, 50, E5, 75, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd6dbfd1 11 bytes [B8, B9, AB, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd6e2af1 11 bytes [B8, F9, 4E, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd704350 12 bytes [48, B8, B9, 42, E5, 75, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd710c11 11 bytes [B8, 79, C9, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd712871 8 bytes [B8, 39, 23, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd71287a 2 bytes [50, C3] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7128b1 11 bytes [B8, F9, 40, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff484ea1 11 bytes [B8, 39, F5, E5, 75, 00, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4855c8 12 bytes [48, B8, B9, 6C, E5, 75, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff49b85c 12 bytes [48, B8, F9, 6A, E5, 75, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff49b9d0 12 bytes [48, B8, 79, 60, E5, 75, 00, ...] .text D:\Windows\System32\svchost.exe[5964] D:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff49ba3c 12 bytes [48, B8, B9, 5E, E5, 75, 00, ...] .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007781fb28 5 bytes JMP 00000001746b2be9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007781fc20 5 bytes JMP 00000001746b1da9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007781fc50 5 bytes JMP 00000001746b15f1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007781fc80 5 bytes JMP 00000001746b1689 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007781fcb0 5 bytes JMP 00000001746b2b51 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007781fdc8 5 bytes JMP 00000001746b37c9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007781fe14 5 bytes JMP 00000001746b1c79 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007781fe44 5 bytes JMP 00000001746b1ed9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007781ff24 5 bytes JMP 00000001746b1e41 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007781ffa4 5 bytes JMP 00000001746b3861 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007781ffec 5 bytes JMP 00000001746b1ab1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077820004 5 bytes JMP 00000001746b1981 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778201c4 5 bytes JMP 00000001746b3991 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007782079c 5 bytes JMP 00000001746b3731 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077820814 5 bytes JMP 00000001746b1a19 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778208a4 5 bytes JMP 00000001746b18e9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077820df4 5 bytes JMP 00000001746b2c81 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077821920 5 bytes JMP 00000001746b1d11 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077821be4 5 bytes JMP 00000001746b2d19 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077821d54 5 bytes JMP 00000001746b2139 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077821d70 5 bytes JMP 00000001746b20a1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077821d8c 5 bytes JMP 00000001746b38f9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077821ee8 5 bytes JMP 00000001746b3439 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077860d3b 5 bytes JMP 00000001746b2989 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000772e0e00 5 bytes JMP 00000001746b33a1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000772f3bbb 5 bytes JMP 00000001746b1be1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000772f9aa4 5 bytes JMP 00000001746b3271 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000772f9b05 5 bytes JMP 00000001746b3011 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000077307327 5 bytes JMP 00000001746b2009 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007730ccb1 5 bytes JMP 00000001746b2ee1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007730ccd1 5 bytes JMP 00000001746b3141 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000770eeca6 5 bytes JMP 00000001746b2301 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000770efbb7 5 bytes JMP 00000001746b2db1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000770f4608 5 bytes JMP 00000001746b2269 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000770f4631 5 bytes JMP 00000001746b1851 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076c9c9ec 5 bytes JMP 00000001746b2431 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ca2b70 5 bytes JMP 00000001746b2399 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ca361c 5 bytes JMP 00000001746b2859 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ca4965 5 bytes JMP 00000001746b3a29 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076cb70c4 5 bytes JMP 00000001746b2ab9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076cb70dc 5 bytes JMP 00000001746b25f9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076cb70f4 5 bytes JMP 00000001746b2691 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076cd31f4 5 bytes JMP 00000001746b2729 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076cd3204 5 bytes JMP 00000001746b27c1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076cd3214 5 bytes JMP 00000001746b24c9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076cd3224 5 bytes JMP 00000001746b2561 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076cd3264 5 bytes JMP 00000001746b2a21 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!GetMessageW 00000000757a78e2 5 bytes JMP 00000001746b3569 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!GetMessageA 00000000757a7bd3 5 bytes JMP 00000001746b34d1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000757ab6ed 5 bytes JMP 00000001746b3ac1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 5 bytes JMP 00000001746b21d1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 5 bytes JMP 00000001746b3699 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 5 bytes JMP 00000001746b3601 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 5 bytes JMP 00000001746b17b9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 5 bytes JMP 00000001746b1721 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\WS2_32.dll!connect 00000000753d6bdd 5 bytes JMP 00000001746b28f1 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076b91401 2 bytes JMP 7730b21b D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076b91419 2 bytes JMP 7730b346 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076b91431 2 bytes JMP 77388ea9 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076b9144a 2 bytes CALL 772e48ad D:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076b914dd 2 bytes JMP 773887a2 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076b914f5 2 bytes JMP 77388978 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076b9150d 2 bytes JMP 77388698 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076b91525 2 bytes JMP 77388a62 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076b9153d 2 bytes JMP 772ffca8 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076b91555 2 bytes JMP 773068ef D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076b9156d 2 bytes JMP 77388f61 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076b91585 2 bytes JMP 77388ac2 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076b9159d 2 bytes JMP 7738865c D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076b915b5 2 bytes JMP 772ffd41 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076b915cd 2 bytes JMP 7730b2dc D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076b916b2 2 bytes JMP 77388e24 D:\Windows\syswow64\kernel32.dll .text D:\Windows\SysWOW64\explorer.exe[5464] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076b916bd 2 bytes JMP 773885f1 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007781fcb0 5 bytes JMP 0000000100e007d0 .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\kernel32.dll!UnhandledExceptionFilter 00000000773076f7 5 bytes JMP 0000000100b007d0 .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076b91401 2 bytes JMP 7730b21b D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076b91419 2 bytes JMP 7730b346 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076b91431 2 bytes JMP 77388ea9 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076b9144a 2 bytes CALL 772e48ad D:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076b914dd 2 bytes JMP 773887a2 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076b914f5 2 bytes JMP 77388978 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076b9150d 2 bytes JMP 77388698 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076b91525 2 bytes JMP 77388a62 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076b9153d 2 bytes JMP 772ffca8 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076b91555 2 bytes JMP 773068ef D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076b9156d 2 bytes JMP 77388f61 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076b91585 2 bytes JMP 77388ac2 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076b9159d 2 bytes JMP 7738865c D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076b915b5 2 bytes JMP 772ffd41 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076b915cd 2 bytes JMP 7730b2dc D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076b916b2 2 bytes JMP 77388e24 D:\Windows\syswow64\kernel32.dll .text D:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\OBKAgent.exe[5560] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076b916bd 2 bytes JMP 773885f1 D:\Windows\syswow64\kernel32.dll .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007781f8f0 5 bytes JMP 00000001746b6619 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007781f928 5 bytes JMP 00000001746b6ca1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtClose 000000007781f9e0 5 bytes JMP 00000001746b5c99 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007781fb28 5 bytes JMP 00000001746b56a9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007781fc20 5 bytes JMP 00000001746b31d9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007781fc50 5 bytes JMP 00000001746b15f1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007781fc80 5 bytes JMP 00000001746b1689 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007781fcb0 5 bytes JMP 00000001746b5611 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007781fdc8 5 bytes JMP 00000001746b6c09 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007781fe14 5 bytes JMP 00000001746b30a9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007781fe44 5 bytes JMP 00000001746b3309 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007781ff24 5 bytes JMP 00000001746b3271 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007781ffa4 5 bytes JMP 00000001746b6d39 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007781ffec 5 bytes JMP 00000001746b2ee1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077820004 5 bytes JMP 00000001746b2db1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778200b4 5 bytes JMP 00000001746b1ed9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778201c4 5 bytes JMP 00000001746b2301 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007782079c 5 bytes JMP 00000001746b6b71 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077820814 5 bytes JMP 00000001746b2e49 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778208a4 5 bytes JMP 00000001746b2d19 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077820df4 5 bytes JMP 00000001746b5d31 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077821604 5 bytes JMP 00000001746b4ac9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077821920 5 bytes JMP 00000001746b3141 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077821be4 5 bytes JMP 00000001746b5dc9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077821d54 5 bytes JMP 00000001746b3439 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077821d70 5 bytes JMP 00000001746b33a1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077821d8c 5 bytes JMP 00000001746b6dd1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077821ee8 5 bytes JMP 00000001746b69a9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778388c4 5 bytes JMP 00000001746b1ab1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077860d3b 5 bytes JMP 00000001746b2009 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778a860f 5 bytes JMP 00000001746b4b61 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778ae8ab 5 bytes JMP 00000001746b1f71 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000772e0e00 5 bytes JMP 00000001746b1da9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000772e1072 5 bytes JMP 00000001746b2a21 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000772e499f 5 bytes JMP 00000001746b25f9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000772f3bbb 5 bytes JMP 00000001746b3011 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000772f9aa4 5 bytes JMP 00000001746b6581 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000772f9b05 5 bytes JMP 00000001746b6321 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000077307327 5 bytes JMP 00000001746b2729 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!Process32NextW 00000000773088da 5 bytes JMP 00000001746b5c01 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007730ccb1 5 bytes JMP 00000001746b61f1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007730ccd1 5 bytes JMP 00000001746b6451 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!WinExec 0000000077362ff1 5 bytes JMP 00000001746b28f1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007738748b 5 bytes JMP 00000001746b46a1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000773874ae 5 bytes JMP 00000001746b47d1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000077387859 5 bytes JMP 00000001746b4901 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000773878d2 5 bytes JMP 00000001746b4a31 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000770e8f8d 5 bytes JMP 00000001746b1a19 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000770ec436 5 bytes JMP 00000001746b3b59 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000770eeca6 5 bytes JMP 00000001746b3601 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000770ef206 5 bytes JMP 00000001746b2399 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000770efa89 5 bytes JMP 00000001746b1e41 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 00000000770efbb7 5 bytes JMP 00000001746b60c1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000770f1358 5 bytes JMP 00000001746b3ac1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000770f137f 5 bytes JMP 00000001746b3a29 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d29 5 bytes JMP 00000001746b1981 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000770f1e15 5 bytes JMP 00000001746b24c9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2ab1 5 bytes JMP 00000001746b57d9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000770f2cd9 5 bytes JMP 00000001746b5741 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d17 5 bytes JMP 00000001746b5871 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000770f2e7a 5 bytes JMP 00000001746b18e9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000770f3b70 5 bytes JMP 00000001746b2269 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000770f4496 5 bytes JMP 00000001746b2431 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000770f4608 5 bytes JMP 00000001746b3569 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000770f4631 5 bytes JMP 00000001746b2c81 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000770fc734 5 bytes JMP 00000001746b27c1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076c9c9ec 5 bytes JMP 00000001746b3c89 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ca2b70 5 bytes JMP 00000001746b3bf1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ca361c 5 bytes JMP 00000001746b40b1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ca4965 1 byte JMP 00000001746b6e69 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 224 0000000076ca4967 3 bytes {JMP QWORD [RCX]} .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076cb70c4 5 bytes JMP 00000001746b4311 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076cb70dc 5 bytes JMP 00000001746b3e51 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076cb70f4 5 bytes JMP 00000001746b3ee9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076cd31f4 5 bytes JMP 00000001746b3f81 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076cd3204 5 bytes JMP 00000001746b4019 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076cd3214 5 bytes JMP 00000001746b3d21 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076cd3224 5 bytes JMP 00000001746b3db9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076cd3264 5 bytes JMP 00000001746b4279 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007722a472 5 bytes JMP 00000001746b6f01 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000772327ce 5 bytes JMP 00000001746b1be1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\msvcrt.dll!__p__environ 000000007723e6cf 5 bytes JMP 00000001746b1b49 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!GetMessageW 00000000757a78e2 5 bytes JMP 00000001746b4441 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!GetMessageA 00000000757a7bd3 5 bytes JMP 00000001746b43a9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000757a8a29 5 bytes JMP 00000001746b4f89 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!FindWindowW 00000000757a98fd 5 bytes JMP 00000001746b5a39 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000757ab6ed 5 bytes JMP 00000001746b6f99 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000757ad22e 5 bytes JMP 00000001746b5021 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 5 bytes JMP 00000001746b34d1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!FindWindowA 00000000757affe6 5 bytes JMP 00000001746b5909 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!FindWindowExA 00000000757b00d9 5 bytes JMP 00000001746b59a1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!PeekMessageW 00000000757b05ba 5 bytes JMP 00000001746b4571 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!ShowWindow 00000000757b0dfb 5 bytes JMP 00000001746b50b9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 5 bytes JMP 00000001746b6ad9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000757b20ec 5 bytes JMP 00000001746b5449 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 5 bytes JMP 00000001746b6a41 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!PeekMessageA 00000000757b5f74 5 bytes JMP 00000001746b44d9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000757b6285 5 bytes JMP 00000001746b4bf9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 5 bytes JMP 00000001746b2be9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000757b7aee 5 bytes JMP 00000001746b53b1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 5 bytes JMP 00000001746b2b51 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000757cce54 5 bytes JMP 00000001746b51e9 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757cf52b 5 bytes JMP 00000001746b4c91 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!FindWindowExW 00000000757cf588 5 bytes JMP 00000001746b5ad1 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000757d10a0 5 bytes JMP 00000001746b5151 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000757ffcd6 2 bytes JMP 00000001746b5281 .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 00000000757ffcd9 2 bytes {JMP 0x0} .text D:\Users\Grzegorz\Downloads\z3k8tyry.exe[3144] D:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000757ffcfa 5 bytes JMP 00000001746b5319 ---- User IAT/EAT - GMER 2.1 ---- IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7feea53741c] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7feea535f10] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7feea535674] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7feea535e2c] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7feea537f48] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7feea536a38] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7feea536ee8] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7feea537b58] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7feea537ea0] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7feea5378b0] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7feea534fb4] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7feea535d38] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3488] @ D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7feea537584] D:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:2908] 0000000077852e65 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:1956] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:1464] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:2280] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:2284] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:2372] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:2428] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3216] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3220] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3224] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3968] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3988] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3992] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3996] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4000] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4004] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4008] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3308] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:3720] 0000000077853e85 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4220] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4224] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4228] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4688] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:4692] 00000000732029e1 Thread D:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2652:5104] 0000000077853e85 ---- Processes - GMER 2.1 ---- Library \\?\D:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll (*** suspicious ***) @ D:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [860] (FILE NOT FOUND) 000007fefb850000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Users\Grzegorz\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- Files - GMER 2.1 ---- File D:\Windows\Temp\~bd3825.tmp 0 bytes ---- EOF - GMER 2.1 ----