GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-13 16:27:53 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d PLEXTOR_PX-128M6S rev.1.08 119,24GB Running: Gmer.exe; Driver: C:\Temp\pwddrpob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2640] entry point in ".rdata" section 000000007251bb10 .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007ffca2f8cb61 11 bytes [B8, DC, 2B, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007ffca2f8cde0 12 bytes [48, B8, 08, 2D, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007ffca2f8dd91 11 bytes [B8, 60, 2F, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007ffca2f8dfb1 11 bytes [B8, 9E, 2D, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007ffca2f8e231 11 bytes [B8, F6, 2F, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007ffca2f8ea01 11 bytes [B8, 34, 2E, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007ffca2f8eb50 12 bytes [48, B8, 72, 2C, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007ffca2f8f1e0 12 bytes [48, B8, 1A, 2A, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, 84, 29, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007ffca2f91900 12 bytes [48, B8, B0, 2A, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007ffca2f95401 11 bytes [B8, 46, 2B, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007ffca2f973a1 11 bytes [B8, CA, 2E, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007ffca2f990c1 11 bytes [B8, 58, 28, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WINHTTP.dll!WinHttpOpenRequest 00007ffc9a1d92e0 12 bytes [48, B8, 8C, 30, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WINHTTP.dll!WinHttpCloseHandle + 1 00007ffc9a1e4421 11 bytes [B8, 22, 31, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\WINHTTP.dll!WinHttpConnect + 1 00007ffc9a1f4681 11 bytes [B8, B8, 31, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\DNSAPI.dll!DnsQueryEx + 1 00007ffc9e3a19f1 11 bytes [B8, A6, 34, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_UTF8 00007ffc9e3be9f0 12 bytes [48, B8, 10, 34, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_W 00007ffc9e3bea50 12 bytes [48, B8, 7A, 33, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007ffc9e3c7911 11 bytes [B8, 4E, 32, B2, 7A, 4F, 01, ...] .text C:\WINDOWS\system32\dashost.exe[2672] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_A 00007ffc9e3e9510 12 bytes [48, B8, E4, 32, B2, 7A, 4F, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW 00007ffc9fad6aa0 12 bytes [48, B8, BC, 0F, 24, B1, 74, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1 00007ffc9fadc961 11 bytes [B8, D6, 13, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!FindClose + 1 00007ffc9fadd221 11 bytes [B8, A0, 1C, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW 00007ffc9fadd4b0 12 bytes [48, B8, 74, 1B, 24, B1, 74, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!OpenThread 00007ffc9faeabc0 12 bytes [48, B8, E0, 09, 24, B1, 74, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1 00007ffc9faeac31 11 bytes [B8, 0A, 1C, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW + 1 00007ffc9faec191 11 bytes [B8, 38, 0C, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle + 1 00007ffc9faec441 11 bytes [B8, CE, 0C, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc9faec610 12 bytes [48, B8, 40, 13, 24, B1, 74, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1 00007ffc9faeca61 11 bytes [B8, A2, 0B, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress + 1 00007ffc9fb08141 11 bytes [B8, 6C, 14, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc9fb0d040 12 bytes [48, B8, 9A, 04, 24, B1, 74, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1 00007ffc9fb13c51 8 bytes [B8, 86, 18, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10 00007ffc9fb13c5a 2 bytes [50, C3] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1 00007ffc9fb13c81 8 bytes [B8, B2, 19, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 10 00007ffc9fb13c8a 2 bytes [50, C3] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1 00007ffc9fb2faa1 11 bytes [B8, AA, 12, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1 00007ffc9fb308c1 11 bytes [B8, 0C, 0B, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1 00007ffc9fb408e1 11 bytes [B8, 5A, 17, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1 00007ffc9fb42e31 11 bytes [B8, 90, 0E, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1 00007ffc9fb809c1 11 bytes [B8, FA, 0D, 24, B1, 74, 02, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA 00007ffc9fb81480 12 bytes [48, B8, 26, 0F, 24, B1, 74, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread 00007ffc9fb95350 12 bytes [48, B8, AC, 01, 24, B1, 74, ...] .text C:\WINDOWS\system32\sihost.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread 00007ffc9fb953a0 12 bytes [48, B8, 76, 0A, 24, B1, 74, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007ffca337cec1 11 bytes [B8, 64, 0D, B1, FA, 9B, 01, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 00007ffca337d821 11 bytes [B8, DE, 1A, B1, FA, 9B, 01, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile 00007ffca33d4e40 12 bytes [48, B8, 24, 20, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffca33d4f20 12 bytes [48, B8, 98, 15, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffca33d50c0 12 bytes [48, B8, 14, 12, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffca33d5200 12 bytes [48, B8, 5C, 06, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffca33d5240 12 bytes [48, B8, 80, 00, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffca33d5280 12 bytes [48, B8, 16, 01, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffca33d52c0 12 bytes [48, B8, 7E, 11, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffca33d5420 12 bytes [48, B8, F8, 1E, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffca33d5480 12 bytes [48, B8, 30, 05, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffca33d54c0 12 bytes [48, B8, 88, 07, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffca33d5560 12 bytes [48, B8, 48, 1A, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffca33d55e0 12 bytes [48, B8, F2, 06, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffca33d5680 12 bytes [48, B8, BA, 20, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007ffca33d56e0 12 bytes [48, B8, 04, 04, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffca33d5700 12 bytes [48, B8, D8, 02, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffca33d57e0 12 bytes [48, B8, 8E, 1F, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffca33d5930 12 bytes [48, B8, E6, 21, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffca33d6230 12 bytes [48, B8, 62, 1E, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007ffca33d62f0 12 bytes [48, B8, 6E, 03, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffca33d63b0 12 bytes [48, B8, 42, 02, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffca33d6c10 12 bytes [48, B8, 2E, 16, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError 00007ffca33d7730 12 bytes [48, B8, 52, 10, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffca33d7b70 12 bytes [48, B8, C6, 05, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffca33d7f50 12 bytes [48, B8, C4, 16, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffca33d8170 12 bytes [48, B8, 4A, 09, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffca33d8190 12 bytes [48, B8, B4, 08, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffca33d81b0 12 bytes [48, B8, 50, 21, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffca33d83d0 12 bytes [48, B8, CC, 1D, B1, FA, 9B, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlReportException + 1 00007ffca3400611 11 bytes [B8, E8, 10, B1, FA, 9B, 01, ...] .text C:\WINDOWS\system32\taskhostw.exe[3828] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, E2, 44, B1, FA, 9B, 01, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007ffca337cec1 11 bytes [B8, A2, 0B, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffca33d50c0 5 bytes [48, B8, CE, 0C, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00007ffca33d50c8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffca33d5200 5 bytes [48, B8, 5C, 06, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00007ffca33d5208 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffca33d5240 5 bytes [48, B8, 80, 00, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00007ffca33d5248 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffca33d5280 5 bytes [48, B8, 16, 01, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00007ffca33d5288 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffca33d52c0 5 bytes [48, B8, 38, 0C, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00007ffca33d52c8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffca33d5420 5 bytes [48, B8, 2E, 16, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection + 8 00007ffca33d5428 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffca33d5480 5 bytes [48, B8, 30, 05, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00007ffca33d5488 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffca33d54c0 5 bytes [48, B8, 88, 07, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00007ffca33d54c8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffca33d5560 5 bytes [48, B8, 7E, 11, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00007ffca33d5568 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffca33d55e0 5 bytes [48, B8, F2, 06, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00007ffca33d55e8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffca33d5680 5 bytes [48, B8, C4, 16, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection + 8 00007ffca33d5688 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007ffca33d56e0 5 bytes [48, B8, 04, 04, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00007ffca33d56e8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffca33d5700 5 bytes [48, B8, D8, 02, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread + 8 00007ffca33d5708 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffca33d5930 5 bytes [48, B8, F0, 17, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00007ffca33d5938 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffca33d6230 5 bytes [48, B8, 98, 15, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00007ffca33d6238 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007ffca33d62f0 5 bytes [48, B8, 6E, 03, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00007ffca33d62f8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffca33d63b0 5 bytes [48, B8, 42, 02, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00007ffca33d63b8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffca33d6c10 5 bytes [48, B8, 64, 0D, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00007ffca33d6c18 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffca33d7b70 6 bytes [48, B8, C6, 05, 48, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00007ffca33d7b78 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffca33d7f50 6 bytes [48, B8, FA, 0D, 48, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00007ffca33d7f58 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffca33d8170 6 bytes [48, B8, 4A, 09, 48, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00007ffca33d8178 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffca33d8190 6 bytes [48, B8, B4, 08, 48, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00007ffca33d8198 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffca33d81b0 6 bytes [48, B8, 5A, 17, 48, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00007ffca33d81b8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffca33d83d0 6 bytes [48, B8, 02, 15, 48, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 8 00007ffca33d83d8 4 bytes [00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1 00007ffca1495d71 11 bytes [B8, 6C, 14, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot 00007ffca149e800 12 bytes [48, B8, 1E, 08, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1 00007ffca14b1391 3 bytes [B8, 26, 0F] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 5 00007ffca14b1395 4 bytes [00, 00, 00, 00] .text ... * 2 .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1 00007ffca14b1491 3 bytes [B8, 52, 10] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 5 00007ffca14b1495 4 bytes [00, 00, 00, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!FindClose + 1 00007ffc9fadd221 11 bytes [B8, D6, 13, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW 00007ffc9fadd4b0 12 bytes [48, B8, AA, 12, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!OpenThread 00007ffc9faeabc0 12 bytes [48, B8, E0, 09, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1 00007ffc9faeac31 11 bytes [B8, 40, 13, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress + 1 00007ffc9fb08141 11 bytes [B8, 14, 12, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc9fb0d040 12 bytes [48, B8, 9A, 04, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1 00007ffc9fb13c51 3 bytes [B8, BC, 0F] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 5 00007ffc9fb13c55 4 bytes [00, 00, 00, 00] .text ... * 2 .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1 00007ffc9fb13c81 3 bytes [B8, E8, 10] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 5 00007ffc9fb13c85 4 bytes [00, 00, 00, 00] .text ... * 2 .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1 00007ffc9fb308c1 11 bytes [B8, 0C, 0B, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1 00007ffc9fb408e1 11 bytes [B8, 90, 0E, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread 00007ffc9fb95350 12 bytes [48, B8, AC, 01, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread 00007ffc9fb953a0 12 bytes [48, B8, 76, 0A, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1 00007ffca13028e1 8 bytes [B8, 74, 1C, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10 00007ffca13028ea 2 bytes [50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1 00007ffca130a8d1 11 bytes [B8, 86, 18, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrA 00007ffca130d740 12 bytes [48, B8, 8E, 20, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!GetWindowLongA 00007ffca130f770 12 bytes [48, B8, BA, 21, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!GetWindowLongW + 1 00007ffca130f881 11 bytes [B8, 50, 22, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrW + 1 00007ffca130faf1 11 bytes [B8, 24, 21, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 1 00007ffca1317221 11 bytes [B8, 12, 24, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA 00007ffca1317810 5 bytes [48, B8, E6, 22, 48] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA + 6 00007ffca1317816 6 bytes [00, 00, 00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1 00007ffca1319481 11 bytes [B8, 6A, 26, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1 00007ffca131cad1 2 bytes [B8, A8] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!GetMessageA + 4 00007ffca131cad4 8 bytes [48, 00, 00, 00, 00, 00, 50, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffca1321d50 12 bytes [48, B8, F8, 1F, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!GetMessageW 00007ffca1322df0 12 bytes [48, B8, 3E, 25, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1 00007ffca1323c61 5 bytes [B8, CC, 1E, 48, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9 00007ffca1323c69 3 bytes [00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1 00007ffca1325aa1 7 bytes [B8, 62, 1F, 48, 00, 00, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9 00007ffca1325aa9 3 bytes [00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1 00007ffca1325dd1 7 bytes [B8, 0A, 1D, 48, 00, 00, 00] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9 00007ffca1325dd9 3 bytes [00, 50, C3] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffca1326dd0 12 bytes [48, B8, A0, 1D, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1 00007ffca1327641 11 bytes [B8, D4, 25, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA + 1 00007ffca132d0c1 11 bytes [B8, 7C, 23, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1 00007ffca13887a1 11 bytes [B8, 36, 1E, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007ffca19c2fc1 11 bytes [B8, C2, 28, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007ffca19c44d0 12 bytes [48, B8, 00, 27, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007ffca19c67e0 12 bytes [48, B8, 96, 27, 48, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007ffca19c6881 11 bytes [B8, B0, 2B, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007ffca19c7b51 11 bytes [B8, 58, 29, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007ffca19d38b1 11 bytes [B8, 48, 1A, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007ffca19d4d81 11 bytes [B8, 1A, 2B, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007ffca19d9211 11 bytes [B8, 84, 2A, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007ffca19e8ac1 11 bytes [B8, 2C, 28, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007ffca19e9351 11 bytes [B8, EE, 29, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, 4E, 33, 48, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[3184] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007ffca2f990c1 11 bytes [B8, B8, 32, 48, 00, 00, 00, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW 00007ffc9fad6aa0 12 bytes [48, B8, BC, 0F, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1 00007ffc9fadc961 11 bytes [B8, D6, 13, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!FindClose + 1 00007ffc9fadd221 11 bytes [B8, A0, 1C, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW 00007ffc9fadd4b0 12 bytes [48, B8, 74, 1B, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!OpenThread 00007ffc9faeabc0 12 bytes [48, B8, E0, 09, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1 00007ffc9faeac31 11 bytes [B8, 0A, 1C, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW + 1 00007ffc9faec191 11 bytes [B8, 38, 0C, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle + 1 00007ffc9faec441 11 bytes [B8, CE, 0C, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc9faec610 12 bytes [48, B8, 40, 13, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1 00007ffc9faeca61 11 bytes [B8, A2, 0B, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress + 1 00007ffc9fb08141 11 bytes [B8, 6C, 14, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc9fb0d040 12 bytes [48, B8, 9A, 04, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1 00007ffc9fb13c51 8 bytes [B8, 86, 18, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10 00007ffc9fb13c5a 2 bytes [50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1 00007ffc9fb13c81 8 bytes [B8, B2, 19, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 10 00007ffc9fb13c8a 2 bytes [50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1 00007ffc9fb2faa1 11 bytes [B8, AA, 12, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1 00007ffc9fb308c1 11 bytes [B8, 0C, 0B, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1 00007ffc9fb408e1 11 bytes [B8, 5A, 17, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1 00007ffc9fb42e31 11 bytes [B8, 90, 0E, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1 00007ffc9fb809c1 11 bytes [B8, FA, 0D, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA 00007ffc9fb81480 12 bytes [48, B8, 26, 0F, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread 00007ffc9fb95350 12 bytes [48, B8, AC, 01, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread 00007ffc9fb953a0 12 bytes [48, B8, 76, 0A, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007ffca19c2fc1 11 bytes [B8, 00, 26, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007ffca19c44d0 12 bytes [48, B8, 3E, 24, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007ffca19c67e0 12 bytes [48, B8, D4, 24, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007ffca19c6881 11 bytes [B8, EE, 28, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007ffca19c7b51 11 bytes [B8, 96, 26, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007ffca19d38b1 11 bytes [B8, 7C, 22, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007ffca19d4d81 11 bytes [B8, 58, 28, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007ffca19d9211 11 bytes [B8, C2, 27, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007ffca19e8ac1 11 bytes [B8, 6A, 25, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007ffca19e9351 11 bytes [B8, 2C, 27, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1 00007ffca13028e1 8 bytes [B8, 84, 29, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10 00007ffca13028ea 2 bytes [50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1 00007ffca130a8d1 11 bytes [B8, A8, 23, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffca130b4e0 8 bytes [48, B8, CA, 2E, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10 00007ffca130b4ea 2 bytes [50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrA 00007ffca130d740 12 bytes [48, B8, 68, 36, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!GetWindowLongA 00007ffca130f770 12 bytes [48, B8, 94, 37, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!GetWindowLongW + 1 00007ffca130f881 11 bytes [B8, 2A, 38, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrW + 1 00007ffca130faf1 11 bytes [B8, FE, 36, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1 00007ffca13159f1 11 bytes [B8, 7A, 33, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!CallNextHookEx 00007ffca1316150 12 bytes [48, B8, 9E, 2D, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 1 00007ffca1317221 11 bytes [B8, EC, 39, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA 00007ffca1317810 12 bytes [48, B8, C0, 38, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1 00007ffca1319131 11 bytes [B8, 8C, 30, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1 00007ffca1319481 11 bytes [B8, 18, 3B, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1 00007ffca131c541 11 bytes [B8, 72, 2C, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1 00007ffca131c671 11 bytes [B8, 08, 2D, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1 00007ffca131cad1 11 bytes [B8, 46, 2B, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffca1321d50 12 bytes [48, B8, D2, 35, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!GetMessageW 00007ffca1322df0 12 bytes [48, B8, DC, 2B, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1 00007ffca1323c61 7 bytes [B8, A6, 34, 9D, 81, E3, 01] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9 00007ffca1323c69 3 bytes [00, 50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1 00007ffca1325aa1 7 bytes [B8, 3C, 35, 9D, 81, E3, 01] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9 00007ffca1325aa9 3 bytes [00, 50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1 00007ffca1325dd1 7 bytes [B8, 1A, 2A, 9D, 81, E3, 01] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9 00007ffca1325dd9 3 bytes [00, 50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffca1326dd0 12 bytes [48, B8, B0, 2A, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1 00007ffca1327641 11 bytes [B8, 82, 3A, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffca1328a40 8 bytes [48, B8, 60, 2F, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10 00007ffca1328a4a 2 bytes [50, C3] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1 00007ffca132c641 11 bytes [B8, 22, 31, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA + 1 00007ffca132d0c1 11 bytes [B8, 56, 39, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!ShowWindow 00007ffca1332980 12 bytes [48, B8, F6, 2F, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx 00007ffca1332c80 12 bytes [48, B8, 34, 2E, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1 00007ffca137e101 11 bytes [B8, B8, 31, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1 00007ffca137e131 11 bytes [B8, 4E, 32, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1 00007ffca13884e1 11 bytes [B8, E4, 32, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1 00007ffca13887a1 11 bytes [B8, 10, 34, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, E2, 44, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpOpenRequest 00007ffc9a1d92e0 12 bytes [48, B8, 0E, 46, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpCloseHandle + 1 00007ffc9a1e4421 11 bytes [B8, A4, 46, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpConnect + 1 00007ffc9a1f4681 11 bytes [B8, 3A, 47, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\Windows\System32\urlmon.dll!URLDownloadToCacheFileW 00007ffc9158cc60 12 bytes [48, B8, FC, 48, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\Windows\System32\urlmon.dll!URLDownloadToFileW + 1 00007ffc9159cac1 11 bytes [B8, 66, 48, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\msi.dll!MsiInstallProductA + 1 00007ffc831f5531 11 bytes [B8, 54, 4B, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\msi.dll!MsiInstallProductW + 1 00007ffc831f5771 11 bytes [B8, EA, 4B, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\msi.dll!MsiQueryProductStateA + 1 00007ffc831f9451 11 bytes [B8, 80, 4C, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\msi.dll!MsiQueryProductStateW + 1 00007ffc831f9741 11 bytes [B8, 16, 4D, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\msi.dll!MsiOpenDatabaseA + 1 00007ffc832117e1 11 bytes [B8, 28, 4A, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\WINDOWS\system32\msi.dll!MsiOpenDatabaseW + 1 00007ffc83211921 11 bytes [B8, BE, 4A, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\Windows\System32\DNSAPI.dll!DnsQueryEx + 1 00007ffc9e3a19f1 11 bytes [B8, A2, 57, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 00007ffc9e3be9f0 12 bytes [48, B8, 0C, 57, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 00007ffc9e3bea50 12 bytes [48, B8, 76, 56, 9D, 81, E3, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\Windows\System32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007ffc9e3c7911 11 bytes [B8, 4A, 55, 9D, 81, E3, 01, ...] .text C:\Windows\System32\RuntimeBroker.exe[3276] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 00007ffc9e3e9510 12 bytes [48, B8, E0, 55, 9D, 81, E3, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4976] entry point in ".rdata" section 000000007251bb10 .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, E2, 44, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007ffca2f8cb61 11 bytes [B8, 66, 48, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007ffca2f8cde0 12 bytes [48, B8, 92, 49, BD, 25, 1A, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007ffca2f8dd91 11 bytes [B8, EA, 4B, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007ffca2f8dfb1 11 bytes [B8, 28, 4A, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007ffca2f8e231 11 bytes [B8, 80, 4C, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007ffca2f8ea01 11 bytes [B8, BE, 4A, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007ffca2f8eb50 12 bytes [48, B8, FC, 48, BD, 25, 1A, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007ffca2f8f1e0 12 bytes [48, B8, A4, 46, BD, 25, 1A, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, 0E, 46, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007ffca2f91900 12 bytes [48, B8, 3A, 47, BD, 25, 1A, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007ffca2f95401 11 bytes [B8, D0, 47, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007ffca2f973a1 11 bytes [B8, 54, 4B, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007ffca2f990c1 11 bytes [B8, 78, 45, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpOpenRequest 00007ffc9a1d92e0 12 bytes [48, B8, AC, 4D, BD, 25, 1A, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpCloseHandle + 1 00007ffc9a1e4421 11 bytes [B8, 42, 4E, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpConnect + 1 00007ffc9a1f4681 11 bytes [B8, D8, 4E, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\DNSAPI.dll!DnsQueryEx + 1 00007ffc9e3a19f1 11 bytes [B8, C6, 51, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_UTF8 00007ffc9e3be9f0 12 bytes [48, B8, 30, 51, BD, 25, 1A, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_W 00007ffc9e3bea50 12 bytes [48, B8, 9A, 50, BD, 25, 1A, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007ffc9e3c7911 11 bytes [B8, 6E, 4F, BD, 25, 1A, 02, ...] .text C:\WINDOWS\system32\DllHost.exe[5060] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_A 00007ffc9e3e9510 12 bytes [48, B8, 04, 50, BD, 25, 1A, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, A4, 46, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9 00007ffc906a6c30 12 bytes [48, B8, 3A, 47, 58, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007ffca2f8cb61 11 bytes [B8, 16, 4D, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007ffca2f8cde0 12 bytes [48, B8, 42, 4E, 58, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007ffca2f8dd91 11 bytes [B8, 9A, 50, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007ffca2f8dfb1 11 bytes [B8, D8, 4E, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007ffca2f8e231 11 bytes [B8, 30, 51, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007ffca2f8ea01 11 bytes [B8, 6E, 4F, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007ffca2f8eb50 12 bytes [48, B8, AC, 4D, 58, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007ffca2f8f1e0 12 bytes [48, B8, 54, 4B, 58, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, BE, 4A, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007ffca2f91900 12 bytes [48, B8, EA, 4B, 58, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007ffca2f95401 11 bytes [B8, 80, 4C, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007ffca2f973a1 11 bytes [B8, 04, 50, 58, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5736] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007ffca2f990c1 11 bytes [B8, 28, 4A, 58, 00, 00, 00, ...] ? C:\WINDOWS\SYSTEM32\apphelp.dll [6244] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6244] entry point in ".rdata" section 000000006966c4c0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [6244] entry point in ".rdata" section 000000006482bc40 ? C:\WINDOWS\system32\apphelp.dll [7084] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4648] entry point in ".rdata" section 0000000068458fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4648] entry point in ".rdata" section 000000006966c4c0 .text C:\Windows\System32\SystemSettingsBroker.exe[8116] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, E2, 44, 5F, DD, 8A, 01, ...] .text C:\WINDOWS\system32\ApplicationFrameHost.exe[6968] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, E2, 44, 02, 32, 65, 01, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007ffca337cec1 11 bytes [B8, 64, 0D, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 00007ffca337d821 11 bytes [B8, 48, 1A, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile 00007ffca33d4e40 12 bytes [48, B8, 8E, 1F, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffca33d4f20 12 bytes [48, B8, 98, 15, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffca33d50c0 12 bytes [48, B8, 14, 12, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffca33d5200 12 bytes [48, B8, 5C, 06, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffca33d5240 12 bytes [48, B8, 80, 00, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffca33d5280 12 bytes [48, B8, 16, 01, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffca33d52c0 12 bytes [48, B8, 7E, 11, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffca33d5420 12 bytes [48, B8, 62, 1E, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffca33d5480 12 bytes [48, B8, 30, 05, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffca33d54c0 12 bytes [48, B8, 88, 07, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffca33d55e0 12 bytes [48, B8, F2, 06, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffca33d5680 12 bytes [48, B8, 24, 20, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007ffca33d56e0 12 bytes [48, B8, 04, 04, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffca33d5700 12 bytes [48, B8, D8, 02, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffca33d57e0 12 bytes [48, B8, F8, 1E, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffca33d5930 12 bytes [48, B8, 50, 21, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffca33d6230 12 bytes [48, B8, CC, 1D, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007ffca33d62f0 12 bytes [48, B8, 6E, 03, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffca33d63b0 12 bytes [48, B8, 42, 02, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffca33d6c10 12 bytes [48, B8, 2E, 16, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError 00007ffca33d7730 12 bytes [48, B8, 52, 10, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffca33d7b70 12 bytes [48, B8, C6, 05, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffca33d7f50 12 bytes [48, B8, C4, 16, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffca33d8170 12 bytes [48, B8, 4A, 09, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffca33d8190 12 bytes [48, B8, B4, 08, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffca33d81b0 12 bytes [48, B8, BA, 20, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffca33d83d0 12 bytes [48, B8, 36, 1D, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlReportException + 1 00007ffca3400611 11 bytes [B8, E8, 10, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007ffca2f8cb61 11 bytes [B8, B0, 2A, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007ffca2f8cde0 12 bytes [48, B8, DC, 2B, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007ffca2f8dd91 11 bytes [B8, 34, 2E, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007ffca2f8dfb1 11 bytes [B8, 72, 2C, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007ffca2f8e231 11 bytes [B8, CA, 2E, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007ffca2f8ea01 11 bytes [B8, 08, 2D, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007ffca2f8eb50 12 bytes [48, B8, 46, 2B, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007ffca2f8f1e0 12 bytes [48, B8, EE, 28, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, 58, 28, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007ffca2f91900 12 bytes [48, B8, 84, 29, 76, F5, 2A, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007ffca2f95401 11 bytes [B8, 1A, 2A, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007ffca2f973a1 11 bytes [B8, 9E, 2D, 76, F5, 2A, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4616] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007ffca2f990c1 11 bytes [B8, E6, 21, 76, F5, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3712] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, E2, 44, 84, 00, 00, 00, ...] .text C:\WINDOWS\system32\nvvsvc.exe[4656] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, E2, 44, CD, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007ffca2f8cb61 11 bytes [B8, 34, 2E, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007ffca2f8cde0 12 bytes [48, B8, 60, 2F, 20, 25, 4D, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007ffca2f8dd91 11 bytes [B8, B8, 31, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007ffca2f8dfb1 11 bytes [B8, F6, 2F, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007ffca2f8e231 11 bytes [B8, 4E, 32, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007ffca2f8ea01 11 bytes [B8, 8C, 30, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007ffca2f8eb50 4 bytes [48, B8, CA, 2E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!WSASocketW + 5 00007ffca2f8eb55 7 bytes [25, 4D, 01, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007ffca2f8f1e0 12 bytes [48, B8, 72, 2C, 20, 25, 4D, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, DC, 2B, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007ffca2f91900 12 bytes [48, B8, 08, 2D, 20, 25, 4D, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007ffca2f95401 11 bytes [B8, 9E, 2D, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007ffca2f973a1 11 bytes [B8, 22, 31, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007ffca2f990c1 11 bytes [B8, 7C, 22, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, 16, 4D, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpOpenRequest 00007ffc9a1d92e0 12 bytes [48, B8, AC, 4D, 20, 25, 4D, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpCloseHandle + 1 00007ffc9a1e4421 11 bytes [B8, 42, 4E, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpConnect + 1 00007ffc9a1f4681 11 bytes [B8, D8, 4E, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQueryEx + 1 00007ffc9e3a19f1 3 bytes [B8, C6, 51] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQueryEx + 5 00007ffc9e3a19f5 7 bytes [25, 4D, 01, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_UTF8 00007ffc9e3be9f0 12 bytes [48, B8, 30, 51, 20, 25, 4D, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_W 00007ffc9e3bea50 12 bytes [48, B8, 9A, 50, 20, 25, 4D, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007ffc9e3c7911 11 bytes [B8, 6E, 4F, 20, 25, 4D, 01, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[5708] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_A 00007ffc9e3e9510 12 bytes [48, B8, 04, 50, 20, 25, 4D, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007ffca337cec1 11 bytes [B8, 64, 0D, 0A, 1B, 99, 01, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 00007ffca337d821 11 bytes [B8, DE, 1A, 0A, 1B, 99, 01, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile 00007ffca33d4e40 12 bytes [48, B8, 24, 20, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffca33d4f20 12 bytes [48, B8, 98, 15, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffca33d50c0 12 bytes [48, B8, 14, 12, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffca33d5200 12 bytes [48, B8, 5C, 06, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffca33d5240 12 bytes [48, B8, 80, 00, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffca33d5280 12 bytes [48, B8, 16, 01, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffca33d52c0 12 bytes [48, B8, 7E, 11, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffca33d5420 12 bytes [48, B8, F8, 1E, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffca33d5480 12 bytes [48, B8, 30, 05, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffca33d54c0 12 bytes [48, B8, 88, 07, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffca33d5560 12 bytes [48, B8, 48, 1A, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffca33d55e0 12 bytes [48, B8, F2, 06, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffca33d5680 12 bytes [48, B8, BA, 20, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007ffca33d56e0 12 bytes [48, B8, 04, 04, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffca33d5700 12 bytes [48, B8, D8, 02, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffca33d57e0 12 bytes [48, B8, 8E, 1F, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffca33d5930 12 bytes [48, B8, E6, 21, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffca33d6230 12 bytes [48, B8, 62, 1E, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007ffca33d62f0 12 bytes [48, B8, 6E, 03, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffca33d63b0 12 bytes [48, B8, 42, 02, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffca33d6c10 12 bytes [48, B8, 2E, 16, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError 00007ffca33d7730 12 bytes [48, B8, 52, 10, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffca33d7b70 12 bytes [48, B8, C6, 05, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffca33d7f50 12 bytes [48, B8, C4, 16, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffca33d8170 12 bytes [48, B8, 4A, 09, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffca33d8190 12 bytes [48, B8, B4, 08, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffca33d81b0 12 bytes [48, B8, 50, 21, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffca33d83d0 12 bytes [48, B8, CC, 1D, 0A, 1B, 99, ...] .text C:\WINDOWS\system32\AUDIODG.EXE[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlReportException + 1 00007ffca3400611 11 bytes [B8, E8, 10, 0A, 1B, 99, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007ffca337cec1 11 bytes [B8, 64, 0D, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 00007ffca337d821 11 bytes [B8, DE, 1A, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile 00007ffca33d4e40 12 bytes [48, B8, 24, 20, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffca33d4f20 12 bytes [48, B8, 98, 15, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffca33d50c0 12 bytes [48, B8, 14, 12, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffca33d5200 12 bytes [48, B8, 5C, 06, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffca33d5240 12 bytes [48, B8, 80, 00, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffca33d5280 12 bytes [48, B8, 16, 01, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffca33d52c0 12 bytes [48, B8, 7E, 11, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffca33d5420 12 bytes [48, B8, F8, 1E, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffca33d5480 12 bytes [48, B8, 30, 05, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffca33d54c0 12 bytes [48, B8, 88, 07, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffca33d5560 12 bytes [48, B8, 48, 1A, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffca33d55e0 12 bytes [48, B8, F2, 06, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffca33d5680 12 bytes [48, B8, BA, 20, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007ffca33d56e0 12 bytes [48, B8, 04, 04, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffca33d5700 12 bytes [48, B8, D8, 02, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffca33d57e0 12 bytes [48, B8, 8E, 1F, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffca33d5930 12 bytes [48, B8, E6, 21, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffca33d6230 12 bytes [48, B8, 62, 1E, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007ffca33d62f0 12 bytes [48, B8, 6E, 03, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffca33d63b0 12 bytes [48, B8, 42, 02, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffca33d6c10 12 bytes [48, B8, 2E, 16, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError 00007ffca33d7730 12 bytes [48, B8, 52, 10, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffca33d7b70 12 bytes [48, B8, C6, 05, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffca33d7f50 12 bytes [48, B8, C4, 16, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffca33d8170 12 bytes [48, B8, 4A, 09, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffca33d8190 12 bytes [48, B8, B4, 08, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffca33d81b0 12 bytes [48, B8, 50, 21, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffca33d83d0 12 bytes [48, B8, CC, 1D, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlReportException + 1 00007ffca3400611 11 bytes [B8, E8, 10, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007ffca2f8cb61 11 bytes [B8, 92, 49, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007ffca2f8cde0 12 bytes [48, B8, BE, 4A, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007ffca2f8dd91 11 bytes [B8, 16, 4D, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007ffca2f8dfb1 11 bytes [B8, 54, 4B, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007ffca2f8e231 11 bytes [B8, AC, 4D, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007ffca2f8ea01 11 bytes [B8, EA, 4B, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007ffca2f8eb50 12 bytes [48, B8, 28, 4A, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007ffca2f8f1e0 12 bytes [48, B8, D0, 47, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, 3A, 47, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007ffca2f91900 12 bytes [48, B8, 66, 48, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007ffca2f95401 11 bytes [B8, FC, 48, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007ffca2f973a1 11 bytes [B8, 80, 4C, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007ffca2f990c1 2 bytes [B8, D4] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\WS2_32.dll!WEP + 276 00007ffca2f990c4 8 bytes [D9, C2, D5, 01, 00, 00, 50, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, A4, 46, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQueryEx + 1 00007ffc9e3a19f1 11 bytes [B8, 9A, 50, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_UTF8 00007ffc9e3be9f0 12 bytes [48, B8, 04, 50, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_W 00007ffc9e3bea50 12 bytes [48, B8, 6E, 4F, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007ffc9e3c7911 11 bytes [B8, 96, 26, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_A 00007ffc9e3e9510 12 bytes [48, B8, D8, 4E, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory2 + 1 00007ffc9d035611 11 bytes [B8, F2, 52, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory + 1 00007ffc9d035851 11 bytes [B8, C6, 51, D9, C2, D5, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 + 1 00007ffc9d0359b1 1 byte [B8] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 + 3 00007ffc9d0359b3 9 bytes [52, D9, C2, D5, 01, 00, 00, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffc9158cc60 12 bytes [48, B8, B4, 54, D9, C2, D5, ...] .text D:\TeamSpeak\ts3client_win64.exe[1828] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW + 1 00007ffc9159cac1 11 bytes [B8, 1E, 54, D9, C2, D5, 01, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007ffca337cec1 11 bytes [B8, 64, 0D, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 00007ffca337d821 11 bytes [B8, DE, 1A, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReadFile 00007ffca33d4e00 5 bytes [48, B8, 74, 1B, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReadFile + 8 00007ffca33d4e08 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile 00007ffca33d4e40 5 bytes [48, B8, BA, 20, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile + 8 00007ffca33d4e48 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffca33d4f20 5 bytes [48, B8, 98, 15, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose + 8 00007ffca33d4f28 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffca33d50c0 5 bytes [48, B8, 14, 12, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00007ffca33d50c8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffca33d5200 5 bytes [48, B8, 5C, 06, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00007ffca33d5208 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffca33d5240 5 bytes [48, B8, 80, 00, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00007ffca33d5248 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffca33d5280 5 bytes [48, B8, 16, 01, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00007ffca33d5288 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffca33d52c0 5 bytes [48, B8, 7E, 11, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00007ffca33d52c8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffca33d5420 5 bytes [48, B8, 8E, 1F, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection + 8 00007ffca33d5428 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffca33d5480 5 bytes [48, B8, 30, 05, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00007ffca33d5488 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffca33d54c0 5 bytes [48, B8, 88, 07, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00007ffca33d54c8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffca33d5560 5 bytes [48, B8, 48, 1A, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 00007ffca33d5568 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffca33d55e0 5 bytes [48, B8, F2, 06, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00007ffca33d55e8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffca33d5680 5 bytes [48, B8, 50, 21, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection + 8 00007ffca33d5688 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007ffca33d56e0 5 bytes [48, B8, 04, 04, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00007ffca33d56e8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffca33d5700 5 bytes [48, B8, D8, 02, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread + 8 00007ffca33d5708 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffca33d57e0 5 bytes [48, B8, 24, 20, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile + 8 00007ffca33d57e8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffca33d5930 5 bytes [48, B8, 7C, 22, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00007ffca33d5938 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffca33d6230 5 bytes [48, B8, F8, 1E, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00007ffca33d6238 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007ffca33d62f0 5 bytes [48, B8, 6E, 03, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00007ffca33d62f8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffca33d63b0 5 bytes [48, B8, 42, 02, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00007ffca33d63b8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffca33d6c10 5 bytes [48, B8, 2E, 16, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00007ffca33d6c18 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError 00007ffca33d7730 6 bytes [48, B8, 52, 10, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00007ffca33d7738 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffca33d7b70 6 bytes [48, B8, C6, 05, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00007ffca33d7b78 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffca33d7f50 6 bytes [48, B8, C4, 16, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00007ffca33d7f58 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffca33d8170 6 bytes [48, B8, 4A, 09, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00007ffca33d8178 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffca33d8190 6 bytes [48, B8, B4, 08, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00007ffca33d8198 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffca33d81b0 6 bytes [48, B8, E6, 21, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00007ffca33d81b8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffca33d83d0 6 bytes [48, B8, 62, 1E, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 8 00007ffca33d83d8 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlReportException + 1 00007ffca3400611 11 bytes [B8, E8, 10, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\KERNEL32.dll!Process32NextW 00007ffca1491040 12 bytes [48, B8, 02, 15, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\KERNEL32.dll!GetStartupInfoA + 1 00007ffca1495d71 11 bytes [B8, CC, 1D, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\KERNEL32.dll!CreateToolhelp32Snapshot 00007ffca149e800 12 bytes [48, B8, 1E, 08, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\KERNEL32.dll!MoveFileExA + 1 00007ffca14b1391 8 bytes [B8, F0, 17, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\KERNEL32.dll!MoveFileExA + 10 00007ffca14b139a 2 bytes [50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\KERNEL32.dll!MoveFileWithProgressA + 1 00007ffca14b1491 8 bytes [B8, 1C, 19, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\KERNEL32.dll!MoveFileWithProgressA + 10 00007ffca14b149a 2 bytes [50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1 00007ffca13028e1 8 bytes [B8, 22, 31, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10 00007ffca13028ea 2 bytes [50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1 00007ffca130a8d1 11 bytes [B8, 8C, 30, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffca130b4e0 7 bytes [48, B8, 68, 36, 71, 00, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10 00007ffca130b4ea 2 bytes [50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrA 00007ffca130d740 12 bytes [48, B8, 06, 3E, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!GetWindowLongA 00007ffca130f770 12 bytes [48, B8, 32, 3F, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!GetWindowLongW + 1 00007ffca130f881 11 bytes [B8, C8, 3F, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrW + 1 00007ffca130faf1 11 bytes [B8, 9C, 3E, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1 00007ffca13159f1 11 bytes [B8, 18, 3B, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!CallNextHookEx 00007ffca1316150 12 bytes [48, B8, 3C, 35, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 1 00007ffca1317221 11 bytes [B8, 8A, 41, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA 00007ffca1317810 5 bytes [48, B8, 5E, 40, 71] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA + 6 00007ffca1317816 6 bytes [00, 00, 00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1 00007ffca1319131 11 bytes [B8, 2A, 38, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1 00007ffca1319481 11 bytes [B8, B6, 42, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1 00007ffca131c541 11 bytes [B8, 10, 34, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1 00007ffca131c671 11 bytes [B8, A6, 34, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1 00007ffca131cad1 11 bytes [B8, E4, 32, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffca1321d50 12 bytes [48, B8, 70, 3D, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!GetMessageW 00007ffca1322df0 12 bytes [48, B8, 7A, 33, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1 00007ffca1323c61 5 bytes [B8, 44, 3C, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9 00007ffca1323c69 3 bytes [00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1 00007ffca1325aa1 7 bytes [B8, DA, 3C, 71, 00, 00, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9 00007ffca1325aa9 3 bytes [00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1 00007ffca1325dd1 7 bytes [B8, B8, 31, 71, 00, 00, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9 00007ffca1325dd9 3 bytes [00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffca1326dd0 12 bytes [48, B8, 4E, 32, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1 00007ffca1327641 11 bytes [B8, 20, 42, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffca1328a40 7 bytes [48, B8, FE, 36, 71, 00, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10 00007ffca1328a4a 2 bytes [50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1 00007ffca132c641 11 bytes [B8, C0, 38, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA + 1 00007ffca132d0c1 11 bytes [B8, F4, 40, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!ShowWindow 00007ffca1332980 6 bytes [48, B8, 94, 37, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8 00007ffca1332988 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx 00007ffca1332c80 6 bytes [48, B8, D2, 35, 71, 00] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8 00007ffca1332c88 4 bytes [00, 00, 50, C3] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1 00007ffca137e101 11 bytes [B8, 56, 39, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1 00007ffca137e131 1 byte [B8] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 3 00007ffca137e133 9 bytes [39, 71, 00, 00, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1 00007ffca13884e1 11 bytes [B8, 82, 3A, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1 00007ffca13887a1 11 bytes [B8, AE, 3B, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\shell32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes [B8, 78, 45, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!send + 1 00007ffca2f8cb61 11 bytes [B8, FC, 48, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!closesocket 00007ffca2f8cde0 12 bytes [48, B8, 28, 4A, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!recv + 1 00007ffca2f8dd91 11 bytes [B8, 80, 4C, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!WSASend + 1 00007ffca2f8dfb1 11 bytes [B8, BE, 4A, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!WSARecv + 1 00007ffca2f8e231 11 bytes [B8, 16, 4D, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!socket + 1 00007ffca2f8ea01 11 bytes [B8, 54, 4B, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!WSASocketW 00007ffca2f8eb50 12 bytes [48, B8, 92, 49, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!GetAddrInfoW 00007ffca2f8f1e0 12 bytes [48, B8, 3A, 47, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!connect + 1 00007ffca2f90421 11 bytes [B8, A4, 46, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!GetAddrInfoExW 00007ffca2f91900 12 bytes [48, B8, D0, 47, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!gethostbyname + 1 00007ffca2f95401 11 bytes [B8, 66, 48, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!WSAConnect + 1 00007ffca2f973a1 11 bytes [B8, EA, 4B, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\ws2_32.dll!WEP + 273 00007ffca2f990c1 11 bytes [B8, 0E, 46, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory2 + 1 00007ffc9d035611 11 bytes [B8, 6E, 4F, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory + 1 00007ffc9d035851 11 bytes [B8, 42, 4E, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 + 1 00007ffc9d0359b1 11 bytes [B8, D8, 4E, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpOpenRequest 00007ffc9a1d92e0 12 bytes [48, B8, 9A, 50, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpCloseHandle + 1 00007ffc9a1e4421 11 bytes [B8, 30, 51, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpConnect + 1 00007ffc9a1f4681 11 bytes [B8, C6, 51, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQueryEx + 1 00007ffc9e3a19f1 11 bytes [B8, B4, 54, 71, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_UTF8 00007ffc9e3be9f0 12 bytes [48, B8, 1E, 54, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_W 00007ffc9e3bea50 12 bytes [48, B8, 88, 53, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007ffc9e3c7911 1 byte [B8] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsDhcpRegisterAddrs + 435 00007ffc9e3c7913 9 bytes [52, 71, 00, 00, 00, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_A 00007ffc9e3e9510 12 bytes [48, B8, F2, 52, 71, 00, 00, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffc9158cc60 3 bytes [48, B8, 76] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW + 4 00007ffc9158cc64 8 bytes [71, 00, 00, 00, 00, 00, 50, ...] .text D:\ShareX\ShareX.exe[1552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW + 1 00007ffc9159cac1 11 bytes [B8, E0, 55, 71, 00, 00, 00, ...] .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007ffca19c2fc1 11 bytes {MOV EAX, 0xffffffffc53e2696; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007ffca19c44d0 12 bytes [48, B8, D4, 24, 3E, C5, EB, ...] .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007ffca19c67e0 12 bytes [48, B8, 6A, 25, 3E, C5, EB, ...] .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007ffca19c6881 11 bytes {MOV EAX, 0xffffffffc53e2984; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007ffca19c7b51 11 bytes {MOV EAX, 0xffffffffc53e272c; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007ffca19d38b1 11 bytes {MOV EAX, 0xffffffffc53e227c; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007ffca19d4d81 11 bytes {MOV EAX, 0xffffffffc53e28ee; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007ffca19d9211 11 bytes {MOV EAX, 0xffffffffc53e2858; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007ffca19e8ac1 11 bytes {MOV EAX, 0xffffffffc53e2600; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007ffca19e9351 11 bytes {MOV EAX, 0xffffffffc53e27c2; JMP 0x8} .text C:\WINDOWS\system32\SearchProtocolHost.exe[6844] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffca1ad14b1 11 bytes {MOV EAX, 0xffffffffc53e44e2; JMP 0x8} ? C:\WINDOWS\system32\apphelp.dll [7012] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [1400] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [7232] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [5408] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [6076] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [7112] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [2180] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [7892] entry point in ".rdata" section 0000000073c30380 ? C:\WINDOWS\system32\apphelp.dll [4576] entry point in ".rdata" section 0000000073c30380 .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1 00007ffca1495d71 11 bytes [B8, 6C, 14, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot 00007ffca149e800 12 bytes [48, B8, 1E, 08, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1 00007ffca14b1391 8 bytes [B8, 26, 0F, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10 00007ffca14b139a 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1 00007ffca14b1491 8 bytes [B8, 52, 10, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 10 00007ffca14b149a 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1 00007ffca13028e1 8 bytes [B8, 74, 1C, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10 00007ffca13028ea 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1 00007ffca130a8d1 11 bytes [B8, 86, 18, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrA 00007ffca130d740 12 bytes [48, B8, 8E, 20, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!GetWindowLongA 00007ffca130f770 12 bytes [48, B8, BA, 21, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!GetWindowLongW + 1 00007ffca130f881 11 bytes [B8, 50, 22, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrW + 1 00007ffca130faf1 11 bytes [B8, 24, 21, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 1 00007ffca1317221 11 bytes [B8, 12, 24, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA 00007ffca1317810 5 bytes [48, B8, E6, 22, 1C] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA + 6 00007ffca1317816 6 bytes [00, 00, 00, 00, 50, C3] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1 00007ffca1319481 11 bytes [B8, 6A, 26, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1 00007ffca131cad1 2 bytes [B8, A8] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!GetMessageA + 4 00007ffca131cad4 8 bytes [1C, 00, 00, 00, 00, 00, 50, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffca1321d50 12 bytes [48, B8, F8, 1F, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!GetMessageW 00007ffca1322df0 12 bytes [48, B8, 3E, 25, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1 00007ffca1323c61 5 bytes [B8, CC, 1E, 1C, 00] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9 00007ffca1323c69 3 bytes [00, 50, C3] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1 00007ffca1325aa1 7 bytes [B8, 62, 1F, 1C, 00, 00, 00] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9 00007ffca1325aa9 3 bytes [00, 50, C3] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1 00007ffca1325dd1 7 bytes [B8, 0A, 1D, 1C, 00, 00, 00] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9 00007ffca1325dd9 3 bytes [00, 50, C3] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffca1326dd0 12 bytes [48, B8, A0, 1D, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1 00007ffca1327641 11 bytes [B8, D4, 25, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA + 1 00007ffca132d0c1 11 bytes [B8, 7C, 23, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1 00007ffca13887a1 11 bytes [B8, 36, 1E, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007ffca19c2fc1 11 bytes [B8, C2, 28, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007ffca19c44d0 12 bytes [48, B8, 00, 27, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007ffca19c67e0 12 bytes [48, B8, 96, 27, 1C, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007ffca19c6881 11 bytes [B8, B0, 2B, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007ffca19c7b51 11 bytes [B8, 58, 29, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007ffca19d38b1 11 bytes [B8, 48, 1A, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007ffca19d4d81 11 bytes [B8, 1A, 2B, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007ffca19d9211 11 bytes [B8, 84, 2A, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007ffca19e8ac1 11 bytes [B8, 2C, 28, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[7528] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007ffca19e9351 11 bytes [B8, EE, 29, 1C, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1 00007ffca1495d71 11 bytes [B8, 6C, 14, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot 00007ffca149e800 12 bytes [48, B8, 1E, 08, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1 00007ffca14b1391 8 bytes [B8, 26, 0F, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10 00007ffca14b139a 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1 00007ffca14b1491 8 bytes [B8, 52, 10, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 10 00007ffca14b149a 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1 00007ffca13028e1 8 bytes [B8, 74, 1C, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10 00007ffca13028ea 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1 00007ffca130a8d1 11 bytes [B8, 86, 18, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrA 00007ffca130d740 12 bytes [48, B8, 8E, 20, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!GetWindowLongA 00007ffca130f770 12 bytes [48, B8, BA, 21, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!GetWindowLongW + 1 00007ffca130f881 11 bytes [B8, 50, 22, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrW + 1 00007ffca130faf1 11 bytes [B8, 24, 21, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 1 00007ffca1317221 11 bytes [B8, 12, 24, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA 00007ffca1317810 5 bytes [48, B8, E6, 22, 65] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA + 6 00007ffca1317816 6 bytes [00, 00, 00, 00, 50, C3] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1 00007ffca1319481 11 bytes [B8, 6A, 26, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1 00007ffca131cad1 2 bytes [B8, A8] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!GetMessageA + 4 00007ffca131cad4 8 bytes [65, 00, 00, 00, 00, 00, 50, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffca1321d50 12 bytes [48, B8, F8, 1F, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!GetMessageW 00007ffca1322df0 12 bytes [48, B8, 3E, 25, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1 00007ffca1323c61 5 bytes [B8, CC, 1E, 65, 00] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9 00007ffca1323c69 3 bytes [00, 50, C3] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1 00007ffca1325aa1 7 bytes [B8, 62, 1F, 65, 00, 00, 00] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9 00007ffca1325aa9 3 bytes [00, 50, C3] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1 00007ffca1325dd1 7 bytes [B8, 0A, 1D, 65, 00, 00, 00] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9 00007ffca1325dd9 3 bytes [00, 50, C3] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffca1326dd0 12 bytes [48, B8, A0, 1D, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1 00007ffca1327641 11 bytes [B8, D4, 25, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA + 1 00007ffca132d0c1 11 bytes [B8, 7C, 23, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1 00007ffca13887a1 11 bytes [B8, 36, 1E, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007ffca19c2fc1 11 bytes [B8, C2, 28, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007ffca19c44d0 12 bytes [48, B8, 00, 27, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007ffca19c67e0 12 bytes [48, B8, 96, 27, 65, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007ffca19c6881 11 bytes [B8, B0, 2B, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007ffca19c7b51 11 bytes [B8, 58, 29, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007ffca19d38b1 11 bytes [B8, 48, 1A, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007ffca19d4d81 11 bytes [B8, 1A, 2B, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007ffca19d9211 11 bytes [B8, 84, 2A, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007ffca19e8ac1 11 bytes [B8, 2C, 28, 65, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[3940] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007ffca19e9351 11 bytes [B8, EE, 29, 65, 00, 00, 00, ...] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [672:6164] fffff960383a4060 Thread C:\WINDOWS\Explorer.EXE [3184:5764] 00007ffc8fb50250 Thread C:\WINDOWS\Explorer.EXE [3184:7984] 00007ffc90a50250 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----