GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-05 21:41:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST500LM0 rev.SM14 465,76GB Running: zhnbqv4b.exe; Driver: C:\Users\Ewelina\AppData\Local\Temp\pxliyfod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003201000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000320102f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 5 bytes JMP 000007fffd5500b8 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd56bfd0 5 bytes JMP 000007fffd550038 .text D:\Program Files (x86)\Lenovo\utility.exe[2740] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000771d6440 5 bytes JMP 0000000169ff0038 .text D:\Program Files (x86)\Lenovo\utility.exe[2740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 5 bytes JMP 000007fffd5500b8 .text D:\Program Files (x86)\Lenovo\utility.exe[2740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd56bfd0 5 bytes JMP 000007fffd550038 .text D:\Program Files (x86)\Lenovo\utility.exe[2740] C:\Windows\system32\WINMM.dll!waveOutReset 000007fef690a38c 5 bytes JMP 000007fefd5502b8 .text D:\Program Files (x86)\Lenovo\utility.exe[2740] C:\Windows\system32\WINMM.dll!waveOutPause 000007fef6924b60 5 bytes JMP 000007fefd550238 .text D:\Program Files (x86)\Lenovo\utility.exe[2740] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fef6924ba0 5 bytes JMP 000007fefd5501b8 .text D:\Program Files (x86)\Lenovo\utility.exe[2740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdde7490 5 bytes JMP 000007fffd550138 .text D:\Program Files (x86)\Lenovo\Energy Management.exe[2752] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000771d6440 5 bytes JMP 0000000169ff0038 .text D:\Program Files (x86)\Lenovo\Energy Management.exe[2752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 5 bytes JMP 000007fffd5500b8 .text D:\Program Files (x86)\Lenovo\Energy Management.exe[2752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd56bfd0 5 bytes JMP 000007fffd550038 .text C:\Windows\System32\StikyNot.exe[2804] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000771d6440 5 bytes JMP 0000000169ff0038 .text C:\Windows\System32\StikyNot.exe[2804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 5 bytes JMP 000007fffd5500b8 .text C:\Windows\System32\StikyNot.exe[2804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd56bfd0 5 bytes JMP 000007fffd550038 .text C:\Windows\System32\StikyNot.exe[2804] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdde7490 5 bytes JMP 000007fffd550138 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000768f48db 5 bytes JMP 00000001100027c0 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000768f48f3 5 bytes JMP 00000001100028a0 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000768f4925 5 bytes JMP 0000000110002830 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075099d0b 5 bytes JMP 0000000110002900 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000752e1465 2 bytes [2E, 75] .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752e14bb 2 bytes [2E, 75] .text ... * 2 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007303adf9 5 bytes JMP 0000000110003440 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\SysWOW64\WINMM.dll!waveOutPause 0000000073055484 5 bytes JMP 00000001100034e0 .text C:\Users\Ewelina\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[2832] C:\Windows\SysWOW64\WINMM.dll!waveOutRestart 00000000730554b8 5 bytes JMP 0000000110003580 .text D:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2860] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000771d6440 5 bytes JMP 0000000169ff0038 .text D:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 5 bytes JMP 000007fffd5500b8 .text D:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd56bfd0 5 bytes JMP 000007fffd550038 .text D:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2860] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdde7490 5 bytes JMP 000007fffd550138 .text D:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2860] C:\Windows\system32\WINMM.dll!waveOutReset 000007fef690a38c 5 bytes JMP 000007fefd5502b8 .text D:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2860] C:\Windows\system32\WINMM.dll!waveOutPause 000007fef6924b60 5 bytes JMP 000007fefd550238 .text D:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2860] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fef6924ba0 5 bytes JMP 000007fefd5501b8 .text D:\Users\Ewelina\Desktop\drivers\Touchpad\Synaptics\15.0.15.0\WinWDF\x64\SynTPEnh.exe[2876] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000771d6440 5 bytes JMP 0000000169ff0038 .text D:\Users\Ewelina\Desktop\drivers\Touchpad\Synaptics\15.0.15.0\WinWDF\x64\SynTPEnh.exe[2876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 5 bytes JMP 000007fffd5500b8 .text D:\Users\Ewelina\Desktop\drivers\Touchpad\Synaptics\15.0.15.0\WinWDF\x64\SynTPEnh.exe[2876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd56bfd0 5 bytes JMP 000007fffd550038 .text D:\Users\Ewelina\Desktop\drivers\Touchpad\Synaptics\15.0.15.0\WinWDF\x64\SynTPEnh.exe[2876] C:\Windows\system32\WINMM.dll!waveOutReset 000007fef690a38c 5 bytes JMP 000007fefd5502b8 .text D:\Users\Ewelina\Desktop\drivers\Touchpad\Synaptics\15.0.15.0\WinWDF\x64\SynTPEnh.exe[2876] C:\Windows\system32\WINMM.dll!waveOutPause 000007fef6924b60 5 bytes JMP 000007fefd550238 .text D:\Users\Ewelina\Desktop\drivers\Touchpad\Synaptics\15.0.15.0\WinWDF\x64\SynTPEnh.exe[2876] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fef6924ba0 5 bytes JMP 000007fefd5501b8 .text D:\Users\Ewelina\Desktop\drivers\Touchpad\Synaptics\15.0.15.0\WinWDF\x64\SynTPEnh.exe[2876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdde7490 5 bytes JMP 000007fffd550138 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2996] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExA 00000000768f48db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2996] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryW 00000000768f48f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2996] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExW 00000000768f4925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2996] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075099d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2056] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000768f48db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2056] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000768f48f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2056] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000768f4925 5 bytes JMP 0000000110002830 .text D:\Program Files (x86)\Reader\reader_sl.exe[1580] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000768f48db 5 bytes JMP 00000001100027c0 .text D:\Program Files (x86)\Reader\reader_sl.exe[1580] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000768f48f3 5 bytes JMP 00000001100028a0 .text D:\Program Files (x86)\Reader\reader_sl.exe[1580] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000768f4925 5 bytes JMP 0000000110002830 .text D:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[2204] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000768f48db 5 bytes JMP 00000001100027c0 .text D:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[2204] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000768f48f3 5 bytes JMP 00000001100028a0 .text D:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[2204] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000768f4925 5 bytes JMP 0000000110002830 .text D:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[2204] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075099d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1656] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExA 00000000768f48db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1656] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryW 00000000768f48f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1656] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExW 00000000768f4925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1656] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075099d0b 5 bytes JMP 0000000110002900 .text D:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3080] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000771d6440 5 bytes JMP 0000000169ff0038 .text D:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 5 bytes JMP 000007fffd5500b8 .text D:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd56bfd0 5 bytes JMP 000007fffd550038 .text D:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3080] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdde7490 5 bytes JMP 000007fffd550138 .text D:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3080] C:\Windows\system32\WINMM.dll!waveOutReset 000007fef690a38c 5 bytes JMP 000007fefd5502b8 .text D:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3080] C:\Windows\system32\WINMM.dll!waveOutPause 000007fef6924b60 5 bytes JMP 000007fefd550238 .text D:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3080] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fef6924ba0 5 bytes JMP 000007fefd5501b8 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000775df928 5 bytes JMP 0000000172b86ca1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775df9e0 5 bytes JMP 0000000172b864e9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775dfb28 5 bytes JMP 0000000172b85ef9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000775dfc20 5 bytes JMP 0000000172b831d9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc50 5 bytes JMP 0000000172b815f1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000775dfc80 5 bytes JMP 0000000172b81689 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775dfcb0 5 bytes JMP 0000000172b85e61 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775dfdc8 5 bytes JMP 0000000172b86c09 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe14 5 bytes JMP 0000000172b830a9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000775dfe44 5 bytes JMP 0000000172b83309 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000775dff24 5 bytes JMP 0000000172b83271 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775dffa4 5 bytes JMP 0000000172b86d39 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000775dffec 5 bytes JMP 0000000172b82ee1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775e0004 5 bytes JMP 0000000172b82db1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775e00b4 5 bytes JMP 0000000172b81ed9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775e01c4 5 bytes JMP 0000000172b82301 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e079c 5 bytes JMP 0000000172b86b71 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000775e0814 5 bytes JMP 0000000172b82e49 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775e08a4 5 bytes JMP 0000000172b82d19 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775e0df4 5 bytes JMP 0000000172b86581 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000775e1604 5 bytes JMP 0000000172b84ac9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000775e1920 5 bytes JMP 0000000172b83141 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775e1be4 5 bytes JMP 0000000172b86619 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000775e1d54 5 bytes JMP 0000000172b83439 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000775e1d70 5 bytes JMP 0000000172b833a1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775e1d8c 5 bytes JMP 0000000172b86dd1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000775e1ee8 5 bytes JMP 0000000172b869a9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000775f88c4 5 bytes JMP 0000000172b81ab1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077620d3b 5 bytes JMP 0000000172b82009 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007766860f 5 bytes JMP 0000000172b84b61 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007766e8ab 5 bytes JMP 0000000172b81f71 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 0000000172b81da9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 0000000172b82a21 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000768f48db 5 bytes JMP 00000001100027c0 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000768f48f3 5 bytes JMP 00000001100028a0 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000768f4925 5 bytes JMP 0000000110002830 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f499f 5 bytes JMP 0000000172b825f9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bbb 5 bytes JMP 0000000172b83011 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917327 5 bytes JMP 0000000172b82729 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000769188da 5 bytes JMP 0000000172b86451 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972ff1 5 bytes JMP 0000000172b828f1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007699748b 5 bytes JMP 0000000172b846a1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000769974ae 5 bytes JMP 0000000172b847d1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997859 5 bytes JMP 0000000172b84901 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769978d2 5 bytes JMP 0000000172b84a31 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000764d8f8d 5 bytes JMP 0000000172b81a19 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000764dc436 5 bytes JMP 0000000172b83b59 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000764deca6 5 bytes JMP 0000000172b83601 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000764df206 3 bytes JMP 0000000172b82399 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess + 4 00000000764df20a 1 byte [FC] .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000764dfa89 5 bytes JMP 0000000172b81e41 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000764e1358 5 bytes JMP 0000000172b83ac1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000764e137f 5 bytes JMP 0000000172b83a29 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000764e1d29 5 bytes JMP 0000000172b81981 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000764e1e15 5 bytes JMP 0000000172b824c9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000764e2ab1 5 bytes JMP 0000000172b86029 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000764e2cd9 5 bytes JMP 0000000172b85f91 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000764e2d17 5 bytes JMP 0000000172b860c1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000764e2e7a 5 bytes JMP 0000000172b818e9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000764e3b70 5 bytes JMP 0000000172b82269 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000764e4496 5 bytes JMP 0000000172b82431 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000764e4608 5 bytes JMP 0000000172b83569 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000764e4631 5 bytes JMP 0000000172b82c81 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000764ec734 5 bytes JMP 0000000172b827c1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000754778e2 5 bytes JMP 0000000172b84441 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075477bd3 5 bytes JMP 0000000172b843a9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075478a29 5 bytes JMP 0000000172b857d9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000754798fd 5 bytes JMP 0000000172b86289 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007547b6ed 5 bytes JMP 0000000172b86e69 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007547d22e 5 bytes JMP 0000000172b85871 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007547ee09 5 bytes JMP 0000000172b834d1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007547ffe6 5 bytes JMP 0000000172b86159 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000754800d9 5 bytes JMP 0000000172b861f1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000754805ba 5 bytes JMP 0000000172b84571 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075480dfb 5 bytes JMP 0000000172b85909 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000754812a5 5 bytes JMP 0000000172b86ad9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000754820ec 5 bytes JMP 0000000172b85c99 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075483baa 5 bytes JMP 0000000172b86a41 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075485f74 5 bytes JMP 0000000172b844d9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075486285 5 bytes JMP 0000000172b84bf9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075487603 5 bytes JMP 0000000172b82be9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075487aee 5 bytes JMP 0000000172b85c01 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007548835c 5 bytes JMP 0000000172b82b51 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007549ce54 5 bytes JMP 0000000172b85a39 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007549f52b 5 bytes JMP 0000000172b84c91 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007549f588 5 bytes JMP 0000000172b86321 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000754a10a0 5 bytes JMP 0000000172b859a1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000754cfcd6 5 bytes JMP 0000000172b85ad1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000754cfcfa 5 bytes JMP 0000000172b85b69 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076cca472 5 bytes JMP 0000000172b86f01 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076cd27ce 5 bytes JMP 0000000172b81be1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076cde6cf 5 bytes JMP 0000000172b81b49 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007684c9ec 5 bytes JMP 0000000172b83c89 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076852b70 5 bytes JMP 0000000172b83bf1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007685361c 5 bytes JMP 0000000172b840b1 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076854965 5 bytes JMP 0000000172b86f99 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768670c4 5 bytes JMP 0000000172b84311 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768670dc 5 bytes JMP 0000000172b83e51 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768670f4 5 bytes JMP 0000000172b83ee9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000768831f4 5 bytes JMP 0000000172b83f81 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076883204 5 bytes JMP 0000000172b84019 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076883214 5 bytes JMP 0000000172b83d21 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076883224 5 bytes JMP 0000000172b83db9 .text D:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3884] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076883264 5 bytes JMP 0000000172b84279 .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000774192d1 5 bytes [B8, 39, 69, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000774192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077431330 6 bytes [48, B8, 79, EC, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077431338 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774313a0 6 bytes [48, B8, B9, D5, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000774313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077431470 6 bytes [48, B8, 79, C2, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077431478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077431510 6 bytes [48, B8, F9, 32, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077431518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077431530 6 bytes [48, B8, 39, 1C, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077431538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077431550 6 bytes [48, B8, F9, 1D, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077431558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077431570 6 bytes [48, B8, B9, C0, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077431578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077431620 6 bytes [48, B8, F9, E8, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077431628 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077431650 6 bytes [48, B8, 79, 2F, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077431658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077431670 6 bytes [48, B8, 79, 36, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077431678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077431700 6 bytes [48, B8, B9, 34, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077431708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077431750 6 bytes [48, B8, 39, EE, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077431758 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077431780 6 bytes [48, B8, 39, 2A, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077431788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077431790 6 bytes [48, B8, B9, 26, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077431798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077431800 6 bytes [48, B8, B9, EA, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077431808 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774318b0 6 bytes [48, B8, B9, F1, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774318b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077431c80 6 bytes [48, B8, 39, E7, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077431c88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077431cd0 6 bytes [48, B8, 79, 28, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077431cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077431d30 6 bytes [48, B8, F9, 24, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077431d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774320a0 6 bytes [48, B8, 79, D7, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000774320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000774325e0 6 bytes [48, B8, 79, 83, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000774325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774327e0 6 bytes [48, B8, 39, 31, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000774327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774329a0 6 bytes [48, B8, 39, D9, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000774329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077432a80 6 bytes [48, B8, 79, 3D, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077432a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077432a90 6 bytes [48, B8, B9, 3B, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077432a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077432aa0 6 bytes [48, B8, F9, EF, 17, 6A] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077432aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000774a3201 11 bytes [B8, 39, 85, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, F9, D3, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 79, E5, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd561861 11 bytes [B8, 79, 52, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd562db1 11 bytes [B8, B9, C7, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd563461 11 bytes [B8, 79, C9, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 12 bytes [48, B8, F9, C5, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd5694c0 12 bytes [48, B8, B9, 50, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd56bfd1 11 bytes [B8, 39, C4, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd572af1 11 bytes [B8, F9, 4E, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd594350 12 bytes [48, B8, B9, 42, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd5a2871 8 bytes [B8, 39, 23, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd5a287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd5a28b1 11 bytes [B8, F9, 40, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe58642d 11 bytes [B8, 39, 5B, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe586484 12 bytes [48, B8, F9, 55, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe586519 11 bytes [B8, 39, 62, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe586c34 12 bytes [48, B8, 39, 54, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe587ab5 11 bytes [B8, F9, 5C, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe588b01 11 bytes [B8, B9, 57, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe588c39 11 bytes [B8, 79, 59, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdd713b1 11 bytes [B8, F9, BE, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdd718e0 12 bytes [48, B8, 39, BD, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdd71bd1 11 bytes [B8, 79, BB, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdd72201 11 bytes [B8, F9, E1, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdd723c0 12 bytes [48, B8, 79, A6, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!connect 000007fefdd745c0 12 bytes [48, B8, 79, 67, 17, 6A, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdd78001 11 bytes [B8, B9, B9, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdd78df0 7 bytes [48, B8, 39, A8, 17, 6A, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdd78df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdd7de91 11 bytes [B8, F9, DA, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdd7df41 11 bytes [B8, 39, E0, 17, 6A, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdd9e0f1 11 bytes [B8, 79, DE, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000774192d1 5 bytes [B8, 39, 69, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000774192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077431310 6 bytes [48, B8, F9, DA, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 0000000077431318 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077431330 6 bytes [48, B8, 79, F3, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077431338 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774313a0 6 bytes [48, B8, B9, D5, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000774313a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077431470 6 bytes [48, B8, 79, C2, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077431478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077431510 6 bytes [48, B8, F9, 32, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077431518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077431530 6 bytes [48, B8, 39, 1C, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077431538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077431550 6 bytes [48, B8, F9, 1D, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077431558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077431570 6 bytes [48, B8, B9, C0, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077431578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077431620 6 bytes [48, B8, F9, EF, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077431628 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077431650 6 bytes [48, B8, 79, 2F, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077431658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077431670 6 bytes [48, B8, 79, 36, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077431678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077431700 6 bytes [48, B8, B9, 34, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077431708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077431750 6 bytes [48, B8, 39, F5, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077431758 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077431780 6 bytes [48, B8, 39, 2A, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077431788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077431790 6 bytes [48, B8, B9, 26, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077431798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077431800 6 bytes [48, B8, B9, F1, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077431808 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774318b0 6 bytes [48, B8, B9, F8, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774318b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077431c80 6 bytes [48, B8, 39, EE, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077431c88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077431cd0 6 bytes [48, B8, 79, 28, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077431cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077431d30 6 bytes [48, B8, F9, 24, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077431d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774320a0 6 bytes [48, B8, 79, D7, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000774320a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000774325e0 6 bytes [48, B8, 79, 83, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000774325e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774327e0 6 bytes [48, B8, 39, 31, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000774327e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774329a0 6 bytes [48, B8, 39, D9, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000774329a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077432a80 6 bytes [48, B8, 79, 3D, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077432a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077432a90 6 bytes [48, B8, B9, 3B, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077432a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077432aa0 6 bytes [48, B8, F9, F6, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077432aa8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077432b80 6 bytes [48, B8, F9, E8, 17, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077432b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000774a3201 11 bytes [B8, 39, 85, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, F9, D3, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 39, E7, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd561861 11 bytes [B8, 79, 52, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd562db1 11 bytes [B8, B9, C7, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd563461 11 bytes [B8, 79, C9, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 12 bytes [48, B8, F9, C5, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd5694c0 12 bytes [48, B8, B9, 50, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd56bfd1 11 bytes [B8, 39, C4, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd572af1 11 bytes [B8, F9, 4E, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd594350 12 bytes [48, B8, B9, 42, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd5a2871 8 bytes [B8, 39, 23, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd5a287a 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd5a28b1 11 bytes [B8, F9, 40, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe58642d 11 bytes [B8, 39, 5B, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe586484 12 bytes [48, B8, F9, 55, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe586519 11 bytes [B8, 39, 62, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe586c34 12 bytes [48, B8, 39, 54, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe587ab5 11 bytes [B8, F9, 5C, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe588b01 11 bytes [B8, B9, 57, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe588c39 11 bytes [B8, 79, 59, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdd713b1 11 bytes [B8, F9, BE, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdd718e0 12 bytes [48, B8, 39, BD, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdd71bd1 11 bytes [B8, 79, BB, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdd72201 11 bytes [B8, B9, E3, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdd723c0 12 bytes [48, B8, 79, A6, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!connect 000007fefdd745c0 12 bytes [48, B8, 79, 67, 17, 6A, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdd78001 11 bytes [B8, B9, B9, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdd78df0 7 bytes [48, B8, 39, A8, 17, 6A, 00] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdd78df9 3 bytes [00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdd7de91 11 bytes [B8, B9, DC, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdd7df41 11 bytes [B8, F9, E1, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdd9e0f1 11 bytes [B8, 39, E0, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007feff5c69ed 11 bytes [B8, F9, 63, 17, 6A, 00, 00, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007feff5d7620 12 bytes [48, B8, B9, 65, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000774192d1 5 bytes [B8, 39, 69, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000774192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077431330 6 bytes [48, B8, 79, EC, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077431338 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774313a0 6 bytes [48, B8, B9, D5, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000774313a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077431470 6 bytes [48, B8, 79, C2, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077431478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077431510 6 bytes [48, B8, F9, 32, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077431518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077431530 6 bytes [48, B8, 39, 1C, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077431538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077431550 6 bytes [48, B8, F9, 1D, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077431558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077431570 6 bytes [48, B8, B9, C0, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077431578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077431620 6 bytes [48, B8, F9, E8, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077431628 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077431650 6 bytes [48, B8, 79, 2F, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077431658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077431670 6 bytes [48, B8, 79, 36, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077431678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077431700 6 bytes [48, B8, B9, 34, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077431708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077431750 6 bytes [48, B8, 39, EE, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077431758 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077431780 6 bytes [48, B8, 39, 2A, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077431788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077431790 6 bytes [48, B8, B9, 26, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077431798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077431800 6 bytes [48, B8, B9, EA, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077431808 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774318b0 6 bytes [48, B8, B9, F1, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774318b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077431c80 6 bytes [48, B8, 39, E7, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077431c88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077431cd0 6 bytes [48, B8, 79, 28, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077431cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077431d30 6 bytes [48, B8, F9, 24, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077431d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774320a0 6 bytes [48, B8, 79, D7, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000774320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000774325e0 6 bytes [48, B8, 79, 83, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000774325e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774327e0 6 bytes [48, B8, 39, 31, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000774327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774329a0 6 bytes [48, B8, 39, D9, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000774329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077432a80 6 bytes [48, B8, 79, 3D, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077432a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077432a90 6 bytes [48, B8, B9, 3B, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077432a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077432aa0 6 bytes [48, B8, F9, EF, 17, 6A] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077432aa8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000774a3201 11 bytes [B8, 39, 85, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, F9, D3, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 79, E5, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd561861 11 bytes [B8, 79, 52, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd562db1 11 bytes [B8, B9, C7, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd563461 11 bytes [B8, 79, C9, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 12 bytes [48, B8, F9, C5, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd5694c0 12 bytes [48, B8, B9, 50, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd56bfd1 11 bytes [B8, 39, C4, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd572af1 11 bytes [B8, F9, 4E, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd594350 12 bytes [48, B8, B9, 42, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd5a2871 8 bytes [B8, 39, 23, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd5a287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd5a28b1 11 bytes [B8, F9, 40, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe58642d 11 bytes [B8, 39, 5B, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe586484 12 bytes [48, B8, F9, 55, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe586519 11 bytes [B8, 39, 62, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe586c34 12 bytes [48, B8, 39, 54, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe587ab5 11 bytes [B8, F9, 5C, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe588b01 11 bytes [B8, B9, 57, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe588c39 11 bytes [B8, 79, 59, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdd713b1 11 bytes [B8, F9, BE, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdd718e0 12 bytes [48, B8, 39, BD, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdd71bd1 11 bytes [B8, 79, BB, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdd72201 11 bytes [B8, F9, E1, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdd723c0 12 bytes [48, B8, 79, A6, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!connect 000007fefdd745c0 12 bytes [48, B8, 79, 67, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdd78001 11 bytes [B8, B9, B9, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdd78df0 7 bytes [48, B8, 39, A8, 17, 6A, 00] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdd78df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdd7de91 11 bytes [B8, F9, DA, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdd7df41 11 bytes [B8, 39, E0, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdd9e0f1 11 bytes [B8, 79, DE, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff4d4ea1 11 bytes [B8, F9, F6, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4d55c8 12 bytes [48, B8, B9, 6C, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff4eb85c 12 bytes [48, B8, F9, 6A, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff4eb9d0 12 bytes [48, B8, 79, 60, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[4828] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff4eba3c 12 bytes [48, B8, B9, 5E, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, F9, D3, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 79, E5, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd561861 11 bytes [B8, 79, 52, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd562db1 11 bytes [B8, B9, C7, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd563461 11 bytes [B8, 79, C9, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 12 bytes [48, B8, F9, C5, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd5694c0 12 bytes [48, B8, B9, 50, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd56bfd1 11 bytes [B8, 39, C4, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd572af1 11 bytes [B8, F9, 4E, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd594350 12 bytes [48, B8, B9, 42, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd5a2871 8 bytes [B8, 39, 23, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd5a287a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd5a28b1 11 bytes [B8, F9, 40, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe58642d 11 bytes [B8, 39, 5B, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe586484 12 bytes [48, B8, F9, 55, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe586519 11 bytes [B8, 39, 62, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe586c34 12 bytes [48, B8, 39, 54, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe587ab5 11 bytes [B8, F9, 5C, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe588b01 11 bytes [B8, B9, 57, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe588c39 11 bytes [B8, 79, 59, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdd713b1 11 bytes [B8, F9, BE, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdd718e0 12 bytes [48, B8, 39, BD, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdd71bd1 11 bytes [B8, 79, BB, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdd72201 11 bytes [B8, F9, E1, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdd723c0 12 bytes [48, B8, 79, A6, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!connect 000007fefdd745c0 12 bytes [48, B8, 79, 67, 17, 6A, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdd78001 11 bytes [B8, B9, B9, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdd78df0 7 bytes [48, B8, 39, A8, 17, 6A, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdd78df9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdd7de91 11 bytes [B8, F9, DA, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdd7df41 11 bytes [B8, 39, E0, 17, 6A, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3880] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdd9e0f1 11 bytes [B8, 79, DE, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, F9, D3, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 79, E5, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd561861 11 bytes [B8, 79, 52, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd562db1 11 bytes [B8, B9, C7, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd563461 11 bytes [B8, 79, C9, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 12 bytes [48, B8, F9, C5, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd5694c0 12 bytes [48, B8, B9, 50, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd56bfd1 11 bytes [B8, 39, C4, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd572af1 11 bytes [B8, F9, 4E, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd594350 12 bytes [48, B8, B9, 42, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd5a2871 8 bytes [B8, 39, 23, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd5a287a 2 bytes [50, C3] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd5a28b1 11 bytes [B8, F9, 40, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe58642d 11 bytes [B8, 39, 5B, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe586484 12 bytes [48, B8, F9, 55, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe586519 11 bytes [B8, 39, 62, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe586c34 12 bytes [48, B8, 39, 54, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe587ab5 11 bytes [B8, F9, 5C, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe588b01 11 bytes [B8, B9, 57, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe588c39 11 bytes [B8, 79, 59, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdd713b1 11 bytes [B8, F9, BE, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdd718e0 12 bytes [48, B8, 39, BD, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdd71bd1 11 bytes [B8, 79, BB, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdd72201 11 bytes [B8, F9, E1, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdd723c0 12 bytes [48, B8, 79, A6, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!connect 000007fefdd745c0 12 bytes [48, B8, 79, 67, 17, 6A, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdd78001 11 bytes [B8, B9, B9, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdd78df0 7 bytes [48, B8, 39, A8, 17, 6A, 00] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdd78df9 3 bytes [00, 50, C3] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdd7de91 11 bytes [B8, F9, DA, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdd7df41 11 bytes [B8, 39, E0, 17, 6A, 00, 00, ...] .text C:\Windows\system32\sppsvc.exe[5752] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdd9e0f1 11 bytes [B8, 79, DE, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771c1b21 11 bytes [B8, F9, D3, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771c1c10 12 bytes [48, B8, F9, 39, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771ddb80 12 bytes [48, B8, B9, 2D, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000771e0931 11 bytes [B8, 79, E5, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772152f1 11 bytes [B8, B9, 7A, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077215311 11 bytes [B8, 39, 77, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007722a5e0 12 bytes [48, B8, B9, 81, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007722a6f0 12 bytes [48, B8, 39, 7E, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd561861 11 bytes [B8, 79, 52, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd562db1 11 bytes [B8, B9, C7, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd563461 11 bytes [B8, 79, C9, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd568ef0 12 bytes [48, B8, F9, C5, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd5694c0 12 bytes [48, B8, B9, 50, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd56bfd1 11 bytes [B8, 39, C4, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd572af1 11 bytes [B8, F9, 4E, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd594350 12 bytes [48, B8, B9, 42, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd5a2871 8 bytes [B8, 39, 23, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd5a287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd5a28b1 11 bytes [B8, F9, 40, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefe58642d 11 bytes [B8, 39, 5B, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe586484 12 bytes [48, B8, F9, 55, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefe586519 11 bytes [B8, 39, 62, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe586c34 12 bytes [48, B8, 39, 54, 17, 6A, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefe587ab5 11 bytes [B8, F9, 5C, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefe588b01 11 bytes [B8, B9, 57, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefe588c39 11 bytes [B8, 79, 59, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007feff5c69ed 11 bytes [B8, F9, 63, 17, 6A, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5788] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007feff5d7620 12 bytes [48, B8, B9, 65, 17, 6A, 00, ...] .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000775df8f0 5 bytes JMP 0000000172b866b1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000775df928 5 bytes JMP 0000000172b86d39 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775df9e0 5 bytes JMP 0000000172b864e9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775dfb28 5 bytes JMP 0000000172b85ef9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000775dfc20 5 bytes JMP 0000000172b831d9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc50 5 bytes JMP 0000000172b815f1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000775dfc80 5 bytes JMP 0000000172b81689 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775dfcb0 5 bytes JMP 0000000172b85e61 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775dfdc8 5 bytes JMP 0000000172b86ca1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe14 5 bytes JMP 0000000172b830a9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000775dfe44 5 bytes JMP 0000000172b83309 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000775dff24 5 bytes JMP 0000000172b83271 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775dffa4 5 bytes JMP 0000000172b86dd1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000775dffec 5 bytes JMP 0000000172b82ee1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775e0004 5 bytes JMP 0000000172b82db1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775e00b4 5 bytes JMP 0000000172b81ed9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775e01c4 5 bytes JMP 0000000172b82301 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e079c 5 bytes JMP 0000000172b86c09 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000775e0814 5 bytes JMP 0000000172b82e49 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775e08a4 5 bytes JMP 0000000172b82d19 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775e0df4 5 bytes JMP 0000000172b86581 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000775e1604 5 bytes JMP 0000000172b84ac9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000775e1920 5 bytes JMP 0000000172b83141 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775e1be4 5 bytes JMP 0000000172b86619 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000775e1d54 5 bytes JMP 0000000172b83439 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000775e1d70 5 bytes JMP 0000000172b833a1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775e1d8c 5 bytes JMP 0000000172b86e69 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000775e1ee8 5 bytes JMP 0000000172b86a41 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000775f88c4 5 bytes JMP 0000000172b81ab1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077620d3b 5 bytes JMP 0000000172b82009 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007766860f 5 bytes JMP 0000000172b84b61 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007766e8ab 5 bytes JMP 0000000172b81f71 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768f0e00 5 bytes JMP 0000000172b81da9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768f1072 5 bytes JMP 0000000172b82a21 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768f499f 5 bytes JMP 0000000172b825f9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076903bbb 5 bytes JMP 0000000172b83011 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000076917327 5 bytes JMP 0000000172b82729 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000769188da 5 bytes JMP 0000000172b86451 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076972ff1 5 bytes JMP 0000000172b828f1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007699748b 5 bytes JMP 0000000172b846a1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000769974ae 5 bytes JMP 0000000172b847d1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076997859 5 bytes JMP 0000000172b84901 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769978d2 5 bytes JMP 0000000172b84a31 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 00000000764d8f8d 5 bytes JMP 0000000172b81a19 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 00000000764dc436 5 bytes JMP 0000000172b83b59 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000764deca6 5 bytes JMP 0000000172b83601 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 00000000764df206 3 bytes JMP 0000000172b82399 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess + 4 00000000764df20a 1 byte [FC] .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 00000000764dfa89 5 bytes JMP 0000000172b81e41 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000764e1358 5 bytes JMP 0000000172b83ac1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000764e137f 5 bytes JMP 0000000172b83a29 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000764e1d29 5 bytes JMP 0000000172b81981 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000764e1e15 5 bytes JMP 0000000172b824c9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000764e2ab1 5 bytes JMP 0000000172b86029 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000764e2cd9 5 bytes JMP 0000000172b85f91 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000764e2d17 5 bytes JMP 0000000172b860c1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000764e2e7a 5 bytes JMP 0000000172b818e9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000764e3b70 5 bytes JMP 0000000172b82269 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000764e4496 5 bytes JMP 0000000172b82431 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000764e4608 5 bytes JMP 0000000172b83569 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000764e4631 5 bytes JMP 0000000172b82c81 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000764ec734 5 bytes JMP 0000000172b827c1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007684c9ec 5 bytes JMP 0000000172b83c89 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076852b70 5 bytes JMP 0000000172b83bf1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007685361c 5 bytes JMP 0000000172b840b1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076854965 5 bytes JMP 0000000172b86f01 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000768670c4 5 bytes JMP 0000000172b84311 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000768670dc 5 bytes JMP 0000000172b83e51 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000768670f4 5 bytes JMP 0000000172b83ee9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000768831f4 5 bytes JMP 0000000172b83f81 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076883204 5 bytes JMP 0000000172b84019 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076883214 5 bytes JMP 0000000172b83d21 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076883224 5 bytes JMP 0000000172b83db9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076883264 5 bytes JMP 0000000172b84279 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076cca472 5 bytes JMP 0000000172b86f99 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076cd27ce 5 bytes JMP 0000000172b81be1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076cde6cf 5 bytes JMP 0000000172b81b49 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000754778e2 5 bytes JMP 0000000172b84441 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075477bd3 5 bytes JMP 0000000172b843a9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075478a29 5 bytes JMP 0000000172b857d9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000754798fd 5 bytes JMP 0000000172b86289 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 000000007547b6ed 5 bytes JMP 0000000172b87031 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007547d22e 5 bytes JMP 0000000172b85871 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007547ee09 5 bytes JMP 0000000172b834d1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007547ffe6 5 bytes JMP 0000000172b86159 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000754800d9 5 bytes JMP 0000000172b861f1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000754805ba 5 bytes JMP 0000000172b84571 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075480dfb 5 bytes JMP 0000000172b85909 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000754812a5 5 bytes JMP 0000000172b86b71 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000754820ec 5 bytes JMP 0000000172b85c99 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075483baa 5 bytes JMP 0000000172b86ad9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075485f74 5 bytes JMP 0000000172b844d9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075486285 5 bytes JMP 0000000172b84bf9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075487603 5 bytes JMP 0000000172b82be9 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000075487aee 5 bytes JMP 0000000172b85c01 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007548835c 5 bytes JMP 0000000172b82b51 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007549ce54 5 bytes JMP 0000000172b85a39 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007549f52b 5 bytes JMP 0000000172b84c91 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007549f588 5 bytes JMP 0000000172b86321 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000754a10a0 5 bytes JMP 0000000172b859a1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000754cfcd6 5 bytes JMP 0000000172b85ad1 .text D:\Users\Ewelina\Downloads\zhnbqv4b.exe[2452] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000754cfcfa 5 bytes JMP 0000000172b85b69 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [2264:2540] 000007fef7cb2f9c ---- Processes - GMER 2.1 ---- Library \\?\D:\Program Files\Bitdefender\Antivirus Free Edition\bdnc.dll (*** suspicious ***) @ D:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [820] (FILE NOT FOUND) 000007fef7d60000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692 Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Object List 12662 12668 12680 12690 12700 12720 12764 12774 12812 12818 12834 Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Last Counter 12840 Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Last Help 12841 Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@First Counter 12662 Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@First Help 12663 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692 (not active ControlSet) ---- EOF - GMER 2.1 ----