GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-14 14:37:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000059 LSILOGIC rev.3000 543.89GB Running: 39oxjvu8.exe; Driver: C:\Users\CONGO\AppData\Local\Temp\uxldqpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefe160761 11 bytes [B8, 39, EE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe163b44 12 bytes [48, B8, 79, 67, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe17b704 12 bytes [48, B8, B9, 65, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe17b870 12 bytes [48, B8, 39, 5B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe17b8dc 12 bytes [48, B8, 79, 59, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefe160761 11 bytes [B8, F9, EF, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe163b44 12 bytes [48, B8, 79, 67, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe17b704 12 bytes [48, B8, B9, 65, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe17b870 12 bytes [48, B8, 39, 5B, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe17b8dc 12 bytes [48, B8, 79, 59, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefe160761 11 bytes [B8, F9, EF, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe163b44 12 bytes [48, B8, 79, 67, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe17b704 12 bytes [48, B8, B9, 65, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe17b870 12 bytes [48, B8, 39, 5B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe17b8dc 12 bytes [48, B8, 79, 59, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefe9fdc51 11 bytes [B8, 39, 85, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefe160761 11 bytes [B8, F9, EF, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe163b44 12 bytes [48, B8, 79, 67, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe17b704 12 bytes [48, B8, B9, 65, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe17b870 12 bytes [48, B8, 39, 5B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe17b8dc 12 bytes [48, B8, 79, 59, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefe160761 11 bytes [B8, F9, EF, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe163b44 12 bytes [48, B8, 79, 67, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe17b704 12 bytes [48, B8, B9, 65, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe17b870 12 bytes [48, B8, 39, 5B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe17b8dc 12 bytes [48, B8, 79, 59, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1708] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[2076] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2228] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2428] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2628] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2708] C:\Windows\system32\d3d11.dll!D3D11CreateDeviceAndSwapChain 000007fef156fef0 12 bytes [48, B8, 39, 8C, 11, 76, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, B9, 50, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, B9, 7A, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, F9, 63, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, B9, 57, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, F9, 55, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, 39, 77, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 79, 7C, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, F9, 78, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, F9, 7F, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 79, 75, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, B9, 65, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, 79, 67, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, B9, 6C, 11, 76] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, 39, 62, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, F9, 6A, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, 39, 46, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, F9, 40, 11, 76, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, 39, 3F, 11, 76, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, F9, 47, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, B9, 42, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 79, 44, 11, 76, 00, 00, ...] .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007794f908 5 bytes JMP 0000000173fe6661 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 0000000173fe5f11 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007794fb08 5 bytes JMP 0000000173fe5971 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007794fc00 5 bytes JMP 0000000173fe3061 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007794fc30 5 bytes JMP 0000000173fe15f1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007794fc60 5 bytes JMP 0000000173fe1681 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 0000000173fe58e1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 0000000173fe65d1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007794fdf4 5 bytes JMP 0000000173fe2f41 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007794fe24 5 bytes JMP 0000000173fe3181 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007794ff04 5 bytes JMP 0000000173fe30f1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 0000000173fe66f1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007794ffcc 5 bytes JMP 0000000173fe2d91 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 5 bytes JMP 0000000173fe2c71 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 0000000173fe1e61 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779501a4 5 bytes JMP 0000000173fe2251 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007795077c 5 bytes JMP 0000000173fe6541 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779507f4 5 bytes JMP 0000000173fe2d01 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 0000000173fe2be1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 0000000173fe5fa1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000779515e4 5 bytes JMP 0000000173fe4651 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077951900 5 bytes JMP 0000000173fe2fd1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 0000000173fe6031 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 0000000173fe6781 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077951ec8 5 bytes JMP 0000000173fe6391 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000779688a4 5 bytes JMP 0000000173fe1a71 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077990cfb 5 bytes JMP 0000000173fe1f81 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000779d857f 5 bytes JMP 0000000173fe46e1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000779de81b 5 bytes JMP 0000000173fe1ef1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075d50e00 5 bytes JMP 0000000173fe1d41 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075d51072 5 bytes JMP 0000000173fe2911 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075d549bf 5 bytes JMP 0000000173fe2521 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075d63bdb 5 bytes JMP 0000000173fe2eb1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075d77347 5 bytes JMP 0000000173fe2641 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000075d78954 5 bytes JMP 0000000173fe5e81 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075dd2c91 5 bytes JMP 0000000173fe27f1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075df6f6b 5 bytes JMP 0000000173fe4261 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075df6f8e 5 bytes JMP 0000000173fe4381 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075df7339 5 bytes JMP 0000000173fe44a1 .text C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe[2832] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075df73b2 5 bytes JMP 0000000173fe45c1 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefe160761 11 bytes [B8, 79, F3, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe163b44 12 bytes [48, B8, 79, 67, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe17b704 12 bytes [48, B8, B9, 65, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe17b870 12 bytes [48, B8, 39, 5B, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe17b8dc 12 bytes [48, B8, 79, 59, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] ? C:\Windows\system32\esentprf.dll [2920] entry point in ".data" section 000007fef1d9def4 ? C:\Windows\System32\perfos.dll [2920] entry point in ".data" section 000007feef0b6574 ? C:\Windows\system32\UTILDLL.dll [2920] entry point in ".rsrc" section 000007feeee45434 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, B9, E3, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, 79, E5, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2864] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000777892a1 5 bytes [B8, F9, 63, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000777892a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000777a1390 6 bytes [48, B8, 79, EC, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000777a1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 6 bytes [48, B8, 79, D0, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000777a1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777a14d0 6 bytes [48, B8, 39, BD, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000777a14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 6 bytes [48, B8, F9, 32, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000777a1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777a1590 6 bytes [48, B8, 39, 1C, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000777a1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777a15b0 6 bytes [48, B8, F9, 1D, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000777a15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 6 bytes [48, B8, 79, BB, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000777a15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 6 bytes [48, B8, F9, E8, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000777a1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 6 bytes [48, B8, 79, 2F, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000777a16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 6 bytes [48, B8, 79, 36, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000777a16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 6 bytes [48, B8, B9, 34, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000777a1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 6 bytes [48, B8, 39, EE, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000777a17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777a17e0 6 bytes [48, B8, 39, 2A, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000777a17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 6 bytes [48, B8, B9, 26, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000777a17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 6 bytes [48, B8, B9, EA, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000777a1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000777a1910 6 bytes [48, B8, B9, F1, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000777a1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 6 bytes [48, B8, 39, E7, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000777a1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777a1d30 6 bytes [48, B8, 79, 28, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000777a1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 6 bytes [48, B8, F9, 24, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000777a1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 6 bytes [48, B8, 39, D2, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000777a2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000777a2640 6 bytes [48, B8, 39, 7E, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000777a2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 6 bytes [48, B8, 39, 31, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000777a2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 6 bytes [48, B8, F9, D3, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000777a2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 6 bytes [48, B8, F9, EF, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000777a2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 6 bytes [48, B8, F9, E1, 11, 76] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000777a2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000778131f1 11 bytes [B8, F9, 7F, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000776320f1 11 bytes [B8, B9, CE, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000776321e0 12 bytes [48, B8, F9, 39, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007764e750 12 bytes [48, B8, B9, 2D, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077651e31 11 bytes [B8, 39, E0, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077685011 11 bytes [B8, 79, 75, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077685031 11 bytes [B8, F9, 71, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007769a560 12 bytes [48, B8, 79, 7C, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007769a670 12 bytes [48, B8, F9, 78, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd751861 11 bytes [B8, 39, 4D, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7530f1 11 bytes [B8, 39, C4, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd758b80 12 bytes [48, B8, 79, 4B, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd759940 12 bytes [48, B8, B9, C0, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd759fb1 11 bytes [B8, 79, C2, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd75bbb1 11 bytes [B8, F9, BE, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7629c1 11 bytes [B8, B9, 49, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd784320 12 bytes [48, B8, 79, 3D, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd792841 8 bytes [B8, 39, 23, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd79284a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd792881 11 bytes [B8, B9, 3B, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefdd1642d 11 bytes [B8, F9, 55, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefdd16484 12 bytes [48, B8, B9, 50, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefdd16519 11 bytes [B8, F9, 5C, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefdd16c34 12 bytes [48, B8, F9, 4E, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefdd17ab5 11 bytes [B8, B9, 57, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefdd18b01 11 bytes [B8, 79, 52, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefdd18c39 11 bytes [B8, 39, 54, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdf413b1 11 bytes [B8, B9, B9, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdf418e0 12 bytes [48, B8, F9, B7, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdf41bd1 11 bytes [B8, 39, B6, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdf42201 11 bytes [B8, B9, DC, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdf423c0 12 bytes [48, B8, 39, A1, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!connect 000007fefdf445c0 12 bytes [48, B8, 39, 62, 11, 76, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdf48001 11 bytes [B8, 79, B4, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdf48df0 7 bytes [48, B8, F9, A2, 11, 76, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdf48df9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdf4de91 11 bytes [B8, B9, D5, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdf4df41 11 bytes [B8, F9, DA, 11, 76, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[1640] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdf6e0f1 11 bytes [B8, 39, D9, 11, 76, 00, 00, ...] .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007794f8d0 5 bytes JMP 0000000173fe60c1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007794f908 5 bytes JMP 0000000173fe66f1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 0000000173fe5f11 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007794fb08 5 bytes JMP 0000000173fe5971 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007794fc00 5 bytes JMP 0000000173fe3061 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007794fc30 5 bytes JMP 0000000173fe15f1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007794fc60 5 bytes JMP 0000000173fe1681 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 0000000173fe58e1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 0000000173fe6661 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007794fdf4 5 bytes JMP 0000000173fe2f41 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007794fe24 5 bytes JMP 0000000173fe3181 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007794ff04 5 bytes JMP 0000000173fe30f1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 0000000173fe6781 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007794ffcc 5 bytes JMP 0000000173fe2d91 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 5 bytes JMP 0000000173fe2c71 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 0000000173fe1e61 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779501a4 5 bytes JMP 0000000173fe2251 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007795077c 5 bytes JMP 0000000173fe65d1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779507f4 5 bytes JMP 0000000173fe2d01 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 0000000173fe2be1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 0000000173fe5fa1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000779515e4 5 bytes JMP 0000000173fe4651 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077951900 5 bytes JMP 0000000173fe2fd1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 0000000173fe6031 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 0000000173fe6811 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077951ec8 5 bytes JMP 0000000173fe6421 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000779688a4 5 bytes JMP 0000000173fe1a71 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077990cfb 5 bytes JMP 0000000173fe1f81 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000779d857f 5 bytes JMP 0000000173fe46e1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000779de81b 5 bytes JMP 0000000173fe1ef1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075d50e00 5 bytes JMP 0000000173fe1d41 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075d51072 5 bytes JMP 0000000173fe2911 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075d549bf 5 bytes JMP 0000000173fe2521 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075d63bdb 5 bytes JMP 0000000173fe2eb1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075d77347 5 bytes JMP 0000000173fe2641 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000075d78954 5 bytes JMP 0000000173fe5e81 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075dd2c91 5 bytes JMP 0000000173fe27f1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075df6f6b 5 bytes JMP 0000000173fe4261 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075df6f8e 5 bytes JMP 0000000173fe4381 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075df7339 5 bytes JMP 0000000173fe44a1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075df73b2 5 bytes JMP 0000000173fe45c1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075c58f7d 5 bytes JMP 0000000173fe19e1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000075c5c428 5 bytes JMP 0000000173fe37b1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075c5ec98 5 bytes JMP 0000000173fe32a1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000075c5f1f8 5 bytes JMP 0000000173fe22e1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000075c5fa7b 5 bytes JMP 0000000173fe1dd1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000075c6134a 5 bytes JMP 0000000173fe3721 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075c61371 5 bytes JMP 0000000173fe3691 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c61d1b 5 bytes JMP 0000000173fe1951 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000075c61e07 5 bytes JMP 0000000173fe2401 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c62aa4 5 bytes JMP 0000000173fe5a91 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000075c62ccc 5 bytes JMP 0000000173fe5a01 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c62d0a 5 bytes JMP 0000000173fe5b21 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000075c62e6d 5 bytes JMP 0000000173fe18c1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000075c63b63 5 bytes JMP 0000000173fe21c1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000075c64489 5 bytes JMP 0000000173fe2371 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000075c645fb 5 bytes JMP 0000000173fe3211 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000075c64624 5 bytes JMP 0000000173fe2b51 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000075c6c72c 5 bytes JMP 0000000173fe26d1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a1ca4c 5 bytes JMP 0000000173fe38d1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000075a22bf0 5 bytes JMP 0000000173fe3841 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a2369c 5 bytes JMP 0000000173fe3cc1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000075a249e5 5 bytes JMP 0000000173fe68a1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a3712c 5 bytes JMP 0000000173fe3f01 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a37144 5 bytes JMP 0000000173fe3a81 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000075a3715c 5 bytes JMP 0000000173fe3b11 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000075a530e8 5 bytes JMP 0000000173fe3ba1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075a530f8 5 bytes JMP 0000000173fe3c31 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000075a53108 5 bytes JMP 0000000173fe3961 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000075a53118 5 bytes JMP 0000000173fe39f1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075a53158 5 bytes JMP 0000000173fe3e71 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000770ba472 5 bytes JMP 0000000173fe6931 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000770c27ce 5 bytes JMP 0000000173fe1b91 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000770ce6cf 5 bytes JMP 0000000173fe1b01 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075ed78e2 5 bytes JMP 0000000173fe4021 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075ed7bd3 5 bytes JMP 0000000173fe3f91 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075ed8a29 5 bytes JMP 0000000173fe52b1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000075ed98fd 5 bytes JMP 0000000173fe5cd1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000075edb6ed 5 bytes JMP 0000000173fe69c1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075edd22e 5 bytes JMP 0000000173fe5341 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000075edffe6 5 bytes JMP 0000000173fe5bb1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000075ee00d9 5 bytes JMP 0000000173fe5c41 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000075ee05ba 5 bytes JMP 0000000173fe4141 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075ee0dfb 5 bytes JMP 0000000173fe53d1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ee12a5 5 bytes JMP 0000000173fe6541 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000075ee20ec 5 bytes JMP 0000000173fe5731 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ee3baa 5 bytes JMP 0000000173fe64b1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075ee5f74 5 bytes JMP 0000000173fe40b1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075ee6285 5 bytes JMP 0000000173fe4771 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ee7603 5 bytes JMP 0000000173fe2ac1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075ee7aee 5 bytes JMP 0000000173fe56a1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ee835c 5 bytes JMP 0000000173fe2a31 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000075efce54 5 bytes JMP 0000000173fe54f1 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075eff52b 5 bytes JMP 0000000173fe4801 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000075eff588 5 bytes JMP 0000000173fe5d61 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000075f010a0 5 bytes JMP 0000000173fe5461 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075f2fcd6 5 bytes JMP 0000000173fe5581 .text C:\Users\CONGO\Desktop\39oxjvu8.exe[3860] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075f2fcfa 5 bytes JMP 0000000173fe5611 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetLastError] [744e018f0079654b] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetProcAddress] [666e497972657551] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!LoadLibraryExW] [6e6f6974616d726f] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!lstrcatW] [737365636f7250] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!lstrlenW] [64616552744e01ba] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetCurrentThreadId] [4d6c617574726956] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!FlsSetValue] [1b00079726f6d65] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetCommandLineA] [567972657551744e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!FlsGetValue] [5579706f436c7452] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!FlsFree] [745365646f63696e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!SetLastError] [1630000676e6972] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!FlsAlloc] [72506e65704f744e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!HeapFree] [15a00737365636f] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!Sleep] [6f4a6e65704f744e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetModuleHandleW] [7463656a624f62] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!SetHandleCount] [6f74636572694479] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetStdHandle] [7463656a624f7972] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetFileType] [704f744e01540000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetStartupInfoA] [7463657269446e65] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetModuleFileNameA] [7551744e019d0074] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!FreeEnvironmentStringsA] [63656a624f797265] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetEnvironmentStrings] [496c745203bc0074] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!FreeEnvironmentStringsW] [6e556f543436746e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!WideCharToMultiByte] [72745365646f6369] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetEnvironmentStringsW] [7452043200676e69] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!HeapSetInformation] [654879726575516c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!HeapCreate] [6d726f666e497061] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!HeapDestroy] [4f0006e6f697461] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!RtlUnwindEx] [75747269566c7452] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!QueryPerformanceCounter] [646e69776e556c61] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetTickCount] [4c6c745204010000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetCurrentProcessId] [6e754670756b6f6f] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [746e456e6f697463] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!TerminateProcess] [7452027b00007972] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetCurrentProcess] [657275747061436c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!UnhandledExceptionFilter] [747865746e6f43] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [6c642e6c6c64746e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!IsDebuggerPresent] [7061654802d3006c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!RtlVirtualUnwind] [2d700636f6c6c41] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!RtlLookupFunctionEntry] [6565724670616548] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!RtlCaptureContext] [5374654702800000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetCPInfo] [654802d600656d69] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetACP] [6f72747365447061] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetOEMCP] [7061654802d50079] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!IsValidCodePage] [657461657243] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!WriteFile] [7272457473614c74] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!LoadLibraryA] [694400e20000726f] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!InitializeCriticalSectionAndSpinCount] [726854656c626173] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetLocaleInfoA] [617262694c646165] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetStringTypeA] [736c6c61437972] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!MultiByteToWideChar] [6d637274736c0558] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!GetStringTypeW] [6547029a00576970] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!LCMapStringA] [756f436b63695474] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[KERNEL32.dll!LCMapStringW] [6c4300520000746e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[mscoree.dll!GetRequestedRuntimeInfo] [616d726f666e4979] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\netfxperf.dll[mscoree.dll!GetCORSystemDirectory] [4f626f4a6e6f6974] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!memcpy] [7c8] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_CxxThrowException] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_onexit] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_lock] [80818086808006] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!__dllonexit] [8082868086031000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_unlock] [8585454545050514] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!?terminate@@YAXXZ] [5080303000000585] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_amsg_exit] [3827280008008080] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_initterm] [3037000700805750] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_XcptFilter] [2000000088505030] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!memset] [808686868606060] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!memcpy_s] [870707770707807] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_purecall] [700080008000008] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!malloc] [8] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!free] [5c6c61626f6c47] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_iob] [6e6174736e497325] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_errno] [2520203a64256563] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!wcsncpy_s] [73] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_vsnwprintf] [2579646165527325] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!strncmp] [732520203a64] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!fprintf] [203a64256f477325] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!_vsnprintf] [732520] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[msvcrt.dll!__CxxFrameHandler3] [3a64254144497325] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[USER32.dll!UnregisterClassA] [4a5bc7ef00000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[USER32.dll!CharNextW] [200000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[ole32.dll!CoTaskMemFree] [5c544e4553455c73] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[ole32.dll!CoTaskMemRealloc] [616d726f66726550] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[ole32.dll!CoCreateInstance] [65636e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[ole32.dll!CoTaskMemAlloc] [6f43207473726946] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[ntdll.dll!RtlCaptureContext] [435c4d4554535953] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[ntdll.dll!RtlLookupFunctionEntry] [6f43746e65727275] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[ntdll.dll!RtlVirtualUnwind] [7465536c6f72746e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[KERNEL32.dll!GetLocalTime] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[KERNEL32.dll!lstrlenW] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[KERNEL32.dll!GetVersionExA] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[KERNEL32.dll!GetTickCount] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[KERNEL32.dll!Sleep] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\msscntrs.dll[KERNEL32.dll!QueryPerformanceCounter] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!memcpy] [cb8b48683c548b48] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!memmove] [834800005e3a15ff] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!_amsg_exit] [848b48e37c783c44] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!free] [4505c70000008024] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!_initterm] [480000000100009e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!malloc] [8b4800009e420589] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!_XcptFilter] [8948000000882484] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!_wtol] [848b4800009e2305] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!towupper] [589480000009024] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!_vsnwprintf] [54ebc03300009e0c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!wcsstr] [8c8d486024448d4c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!_wcsnicmp] [104ba000000a024] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!_ltow_s] [85000058dbe80000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!wcsncmp] [60560d8d483375c0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[msvcrt.dll!memset] [5de015ff0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!RtlCaptureContext] [c7ffffff32820f00] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!RtlLookupFunctionEntry] [5700009dd705] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!RtlVirtualUnwind] [ceb00000057b800] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtQueryValueKey] [58900005d9a15ff] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtOpenKey] [249c8b4800009dc4] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtOpenFile] [24bc8b48000004e0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!RtlNtStatusToDosError] [248c8b48000004d0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtQueryVolumeInformationFile] [e8cc3348000004c0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtQuerySymbolicLinkObject] [d8c48148000003e4] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtOpenSymbolicLinkObject] [ccccccccc3000004] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!RtlInitUnicodeString] [cccccccccccccccc] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtDeviceIoControlFile] [8b4820ec83485340] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtClose] [c085fffffd52e8d9] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ntdll.dll!NtQuerySystemInformation] [7d15ffcb8b480975] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!UnhandledExceptionFilter] [48c9334500006264] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetCurrentProcess] [24448d4878244489] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!TerminateProcess] [24448948c0334564] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetCurrentProcessId] [104482444c750] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetCurrentThreadId] [2b024848d4800] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [8d48402444894800] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!QueryPerformanceCounter] [448948d233602444] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!lstrcmpiW] [a024848d483824] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!DeviceIoControl] [104302444c70000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!lstrcmpW] [c728244489480000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!CreateFileW] [89000001c1202444] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [5a4ee800009f733d] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!SetErrorMode] [5890b74c0850000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!CreateThread] [1a3e900009f64] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!CloseHandle] [61e8158d4800] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!QueryPerformanceFrequency] [2b0248c8d48] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!DisableThreadLibraryCalls] [894800000003b841] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetLastError] [31e8000004e0249c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!FreeLibraryAndExitThread] [1d840fc085000005] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!lstrlenW] [61b6158d48000001] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetTickCount] [2b0248c8d480000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!FreeLibrary] [fc0850000050fe8] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!HeapFree] [5ef615ff0000618c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetModuleHandleExW] [615f0d8d480000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!GetModuleHandleW] [5ee715ffd88b00] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!Sleep] [34460245c8b4400] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!HeapDestroy] [245c0344d80344db] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!HeapCreate] [104fb814164] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[KERNEL32.dll!SetLastError] [8d48000000f9830f] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!RegisterEventSourceW] [48000004d8ec8148] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!ReportEventA] [334800008ff2058b] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!RegSetValueExW] [4c024848948c4] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!RegCloseKey] [a0143d8300] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!ReportEventW] [850f0000a00a058b] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!RegOpenKeyExW] [850fc08500000250] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!RegQueryValueExW] [c5058d4800000248] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!WmiOpenBlock] [d024bc8948000062] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!WmiQueryAllDataW] [62ae0d8d48000004] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!WmiCloseBlock] [4868244489480000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[ADVAPI32.dll!DeregisterEventSource] [ff330000628a058d] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!UnregisterDeviceNotification] [3d158d4800005eac] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!DispatchMessageW] [a0248c8d48000061] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!RegisterClassW] [5e9715ff000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!PostThreadMessageW] [6108158d4800] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!CreateWindowExW] [a0248c8d48] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!RegisterDeviceNotificationW] [d23300005e8215ff] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!TranslateMessage] [a0248c8d48] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!UnregisterClassW] [5e6615ff08428d44] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!GetMessageW] [c08548d88b480000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfdisk.dll[USER32.dll!DestroyWindow] [6666000000aa840f] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfos.dll[KERNEL32.dll!GetCurrentProcessId] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[msvcrt.dll!memmove] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[msvcrt.dll!free] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[msvcrt.dll!_initterm] [4a5bcc0400000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[msvcrt.dll!malloc] [200000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[msvcrt.dll!_XcptFilter] [123800000024] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[msvcrt.dll!wcsncmp] [638] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[msvcrt.dll!memcpy] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlCaptureContext] [49a0499f66c1aa3c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlLookupFunctionEntry] [7649f35e261a5a9] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlVirtualUnwind] [435c4d4554535953] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlQueryHeapInformation] [6f43746e65727275] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlInt64ToUnicodeString] [7465536c6f72746e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtQueryObject] [656369767265535c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtOpenDirectoryObject] [6275686273755c73] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtQueryDirectoryObject] [6d726f667265505c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtOpenJobObject] [65636e61] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtOpenProcess] [6f43207473726946] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlCopyUnicodeString] [7265746e75] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtQueryVirtualMemory] [6548207473726946] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtReadVirtualMemory] [706c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtQueryInformationProcess] [756f43207473614c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtQueryValueKey] [7265746e] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlNtStatusToDosError] [6c6548207473614c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlAppendUnicodeToString] [70] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlInitUnicodeString] [62006f006c0047] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtQuerySystemInformation] [6c0061] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtOpenKey] [650072006f0046] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtGetContextThread] [6e00670069] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtClose] [740073006f0043] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!NtOpenThread] [79006c] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ntdll.dll!RtlIntegerToUnicodeString] [66726570627375] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[KERNEL32.dll!UnhandledExceptionFilter] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[KERNEL32.dll!QueryInformationJobObject] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\System32\perfproc.dll[ADVAPI32.dll!ReportEventW] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!memcpy] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!wcsncpy_s] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!free] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!_initterm] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!malloc] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!_XcptFilter] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!_ltow] [200000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!wcsncat_s] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!_vsnprintf] [528] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[msvcrt.dll!memset] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!RtlCaptureContext] [2] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!RtlLookupFunctionEntry] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!RtlVirtualUnwind] [13c178] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!NtQueryValueKey] [13c130] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!NtClose] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!RtlNtStatusToDosError] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!RtlInitUnicodeString] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!NtQuerySystemInformation] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ntdll.dll!NtOpenKey] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[WINSTA.dll!WinStationEnumerateExW] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[WINSTA.dll!WinStationFreeMemory] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[UTILDLL.dll!StrConnectState] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!QueryPerformanceCounter] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!Sleep] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!lstrlenW] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!OutputDebugStringA] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!DisableThreadLibraryCalls] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!GetTickCount] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!HeapCreate] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!HeapDestroy] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!HeapFree] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!GetCurrentThreadId] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!GetCurrentProcessId] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!TerminateProcess] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!GetLastError] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!GetCurrentProcess] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[KERNEL32.dll!UnhandledExceptionFilter] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ADVAPI32.dll!RegisterEventSourceW] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ADVAPI32.dll!DeregisterEventSource] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ADVAPI32.dll!RegOpenKeyExA] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ADVAPI32.dll!RegCloseKey] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\perfts.dll[ADVAPI32.dll!RegQueryValueExA] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\UTILDLL.dll[ntdll.dll!RtlEnterCriticalSection] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\UTILDLL.dll[ntdll.dll!strstr] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\UTILDLL.dll[ntdll.dll!_wcsicmp] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\UTILDLL.dll[ntdll.dll!memset] [0] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\UTILDLL.dll[KERNEL32.dll!SystemTimeToFileTime] [0] ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe [2832:2544] 00000000743ba3e0 ---- Files - GMER 2.1 ---- File C:\Users\CONGO\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00004c 0 bytes File C:\Users\CONGO\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000151.log 0 bytes File C:\Users\CONGO\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000150 0 bytes File C:\Users\CONGO\AppData\Local\Google\Chrome\User Data\Default\Extension State\000167.log 0 bytes File C:\Users\CONGO\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000165 0 bytes ---- EOF - GMER 2.1 ----