GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-21 22:11:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Crucial_CT256MX100SSD1 rev.MU01 238,47GB Running: gmer.exe; Driver: C:\Users\Spider\AppData\Local\Temp\kwrdipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2460] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2460] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2576] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 000000006dc01a22 2 bytes [C0, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2576] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 000000006dc01ad0 2 bytes [C0, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2576] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 000000006dc01b08 2 bytes [C0, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2576] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 000000006dc01bba 2 bytes [C0, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2576] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 000000006dc01bda 2 bytes [C0, 6D] .text C:\Users\Spider\AppData\Roaming\uTorrent\uTorrent.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Users\Spider\AppData\Roaming\uTorrent\uTorrent.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe[4436] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000758887b1 5 bytes JMP 000000016e221000 .text C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe[4444] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000758887b1 5 bytes JMP 000000016e221000 .text C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00000000777313d0 6 bytes [48, B8, 50, A7, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 00000000777313d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077731480 6 bytes [48, B8, F8, A5, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077731488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes [48, B8, F8, A0, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000777315e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes [48, B8, 68, 9E, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077731628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077731680 6 bytes [48, B8, 00, A3, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077731688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777316b0 6 bytes [48, B8, D0, 97, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000777316b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077731730 6 bytes [48, B8, A8, 96, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077731738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes [48, B8, 20, 9D, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077731758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes [48, B8, 90, 9E, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077731808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077731830 6 bytes [48, B8, 80, 96, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077731838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077731c20 6 bytes [48, B8, D8, A4, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077731c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077731c60 6 bytes [48, B8, F8, 97, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 0000000077731c68 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077731c80 6 bytes [48, B8, 40, 99, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077731c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077731c90 6 bytes [48, B8, 54, 9F, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077731c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077731d10 6 bytes [48, B8, 88, 9A, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077731d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077731d40 6 bytes [48, B8, D8, 9B, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077731d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077731e00 6 bytes [48, B8, 40, A2, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077731e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777321e0 6 bytes [48, B8, 50, A7, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 00000000777321e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077732200 6 bytes [48, B8, 88, A7, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077732208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077732230 6 bytes [48, B8, 18, 99, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077732238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077732240 6 bytes [48, B8, 60, 9A, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077732248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077732290 6 bytes [48, B8, B0, 9B, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077732298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 00000000777322b0 6 bytes [48, B8, 5C, 96, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 00000000777322b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777322d0 6 bytes [48, B8, F8, 9C, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 00000000777322d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077732410 6 bytes [48, B8, EC, A3, 16, 02] .text C:\Windows\explorer.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077732418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774de750 12 bytes {MOV RAX, 0x216a828; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000774e1b51 8 bytes [B8, BC, A7, 16, 02, 00, 00, ...] .text C:\Windows\explorer.exe[5852] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000774e1b5a 2 bytes {JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x2143364; JMP RAX} .text C:\Windows\explorer.exe[5852] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x216a8a8; JMP RAX} .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x1c19824; JMP RAX} .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x1c40d68; JMP RAX} .text C:\Windows\system32\ctfmon.exe[5896] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x4f0544; JMP RAX} .text C:\Windows\system32\ctfmon.exe[5896] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x517a88; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00000000777313d0 5 bytes [48, B8, F0, 6C, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 00000000777313d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077731480 5 bytes [48, B8, 98, 6B, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077731488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 5 bytes [48, B8, 98, 66, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000777315e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 5 bytes [48, B8, 08, 64, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077731628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077731680 5 bytes [48, B8, A0, 68, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077731688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777316b0 5 bytes [48, B8, 70, 5D, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000777316b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077731730 5 bytes [48, B8, 48, 5C, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077731738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 5 bytes [48, B8, C0, 62, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077731758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 5 bytes [48, B8, 30, 64, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077731808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077731830 5 bytes [48, B8, 20, 5C, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077731838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077731c20 5 bytes [48, B8, 78, 6A, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077731c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077731c60 5 bytes [48, B8, 98, 5D, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 0000000077731c68 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077731c80 5 bytes [48, B8, E0, 5E, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077731c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077731c90 5 bytes [48, B8, F4, 64, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077731c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077731d10 5 bytes [48, B8, 28, 60, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077731d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077731d40 5 bytes [48, B8, 78, 61, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077731d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077731e00 5 bytes [48, B8, E0, 67, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077731e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777321e0 5 bytes [48, B8, F0, 6C, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 00000000777321e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077732200 5 bytes [48, B8, 28, 6D, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077732208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077732230 5 bytes [48, B8, B8, 5E, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077732238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077732240 5 bytes [48, B8, 00, 60, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077732248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077732290 5 bytes [48, B8, 50, 61, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077732298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 00000000777322b0 5 bytes [48, B8, FC, 5B, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 00000000777322b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777322d0 5 bytes [48, B8, 98, 62, 59] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 00000000777322d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077732410 6 bytes [48, B8, 8C, 69, 59, 00] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077732418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774de750 12 bytes {MOV RAX, 0x596dc8; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000774e1b51 8 bytes [B8, 5C, 6D, 59, 00, 00, 00, ...] .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000774e1b5a 2 bytes {JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\system32\SspiCli.dll!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x56f904; JMP RAX} .text C:\Windows\system32\msiexec.exe[5920] C:\Windows\system32\SspiCli.dll!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x596e48; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00000000777313d0 5 bytes [48, B8, D0, D3, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 00000000777313d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077731480 5 bytes [48, B8, 78, D2, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077731488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 5 bytes [48, B8, 78, CD, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000777315e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 5 bytes [48, B8, E8, CA, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077731628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077731680 5 bytes [48, B8, 80, CF, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077731688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777316b0 5 bytes [48, B8, 50, C4, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000777316b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077731730 5 bytes [48, B8, 28, C3, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077731738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 5 bytes [48, B8, A0, C9, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077731758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 5 bytes [48, B8, 10, CB, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077731808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077731830 5 bytes [48, B8, 00, C3, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077731838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077731c20 5 bytes [48, B8, 58, D1, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077731c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077731c60 5 bytes [48, B8, 78, C4, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 0000000077731c68 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077731c80 5 bytes [48, B8, C0, C5, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077731c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077731c90 5 bytes [48, B8, D4, CB, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077731c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077731d10 5 bytes [48, B8, 08, C7, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077731d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077731d40 5 bytes [48, B8, 58, C8, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077731d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077731e00 5 bytes [48, B8, C0, CE, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077731e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777321e0 5 bytes [48, B8, D0, D3, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 00000000777321e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077732200 5 bytes [48, B8, 08, D4, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077732208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077732230 5 bytes [48, B8, 98, C5, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077732238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077732240 5 bytes [48, B8, E0, C6, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077732248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077732290 5 bytes [48, B8, 30, C8, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077732298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 00000000777322b0 5 bytes [48, B8, DC, C2, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 00000000777322b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777322d0 5 bytes [48, B8, 78, C9, 5E] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 00000000777322d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077732410 6 bytes [48, B8, 6C, D0, 5E, 00] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077732418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\kernel32.dll!CompareStringA 00000000774d1300 5 bytes JMP 00000001774b0e16 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\kernel32.dll!CreateThread 00000000774d6580 5 bytes JMP 00000001774b0dd7 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774de750 12 bytes {MOV RAX, 0x5ed4a8; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000774e1b51 8 bytes [B8, 3C, D4, 5E, 00, 00, 00, ...] .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000774e1b5a 2 bytes {JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe1d7490 5 bytes JMP 000007fffd990fd9 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\OLEAUT32.dll!SysAllocString 000007feff913480 5 bytes JMP 000007fffd990ed5 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\SHLWAPI.dll!GetAcceptLanguagesW 000007fefe4db230 5 bytes JMP 000007fffd990f0e .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\SHLWAPI.dll!GetAcceptLanguagesA 000007fefe4f5f68 5 bytes JMP 000007fffd990f53 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\urlmon.dll!ObtainUserAgentString 000007feff49cc68 5 bytes JMP 000007fffd990f93 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x5c5fe4; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x5ed528; JMP RAX} .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\winmm.dll!PlaySoundW 000007fefa812144 5 bytes JMP 000007fffa800f93 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\winmm.dll!waveOutOpen 000007fefa8138d0 5 bytes JMP 000007fffa800f53 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\winmm.dll!PlaySound 000007fefa832f10 5 bytes JMP 000007fffa800fd9 .text C:\Windows\system32\dllhost.exe[5980] C:\Windows\system32\mlang.dll!LcidToRfc1766W 000007fefb361744 5 bytes JMP 000007fffa800f13 .text C:\Windows\system32\msdtc.exe[6032] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x3387d04; JMP RAX} .text C:\Windows\system32\msdtc.exe[6032] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x33af248; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00000000777313d0 6 bytes [48, B8, 30, 8A, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 00000000777313d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077731480 6 bytes [48, B8, D8, 88, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077731488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes [48, B8, D8, 83, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000777315e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes [48, B8, 48, 81, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077731628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077731680 6 bytes [48, B8, E0, 85, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077731688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777316b0 6 bytes [48, B8, B0, 7A, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000777316b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077731730 6 bytes [48, B8, 88, 79, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077731738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes [48, B8, 00, 80, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077731758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes [48, B8, 70, 81, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077731808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077731830 6 bytes [48, B8, 60, 79, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077731838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077731c20 6 bytes [48, B8, B8, 87, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077731c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077731c60 6 bytes [48, B8, D8, 7A, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 0000000077731c68 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077731c80 6 bytes [48, B8, 20, 7C, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077731c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077731c90 6 bytes [48, B8, 34, 82, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077731c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077731d10 6 bytes [48, B8, 68, 7D, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077731d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077731d40 6 bytes [48, B8, B8, 7E, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077731d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077731e00 6 bytes [48, B8, 20, 85, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077731e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777321e0 6 bytes [48, B8, 30, 8A, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 00000000777321e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077732200 6 bytes [48, B8, 68, 8A, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077732208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077732230 6 bytes [48, B8, F8, 7B, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077732238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077732240 6 bytes [48, B8, 40, 7D, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077732248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077732290 6 bytes [48, B8, 90, 7E, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077732298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 00000000777322b0 6 bytes [48, B8, 3C, 79, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 00000000777322b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777322d0 6 bytes [48, B8, D8, 7F, FA, 01] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 00000000777322d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077732410 5 bytes [48, B8, CC, 86, FA] .text C:\Windows\system32\cmd.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077732418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x1f81644; JMP RAX} .text C:\Windows\system32\cmd.exe[6064] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x1fa8b88; JMP RAX} .text C:\Windows\system32\conhost.exe[5360] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x292ba4; JMP RAX} .text C:\Windows\system32\conhost.exe[5360] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x2ba0e8; JMP RAX} .text C:\Windows\system32\dllhost.exe[3332] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x1c3cb84; JMP RAX} .text C:\Windows\system32\dllhost.exe[3332] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x1c640c8; JMP RAX} .text C:\Windows\system32\conhost.exe[408] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x1ebd8e4; JMP RAX} .text C:\Windows\system32\conhost.exe[408] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x1ee4e28; JMP RAX} .text C:\Windows\system32\conhost.exe[3232] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 4 bytes [48, B8, 04, 44] .text C:\Windows\system32\conhost.exe[3232] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle + 5 000007fefd2f1d95 7 bytes [01, 00, 00, 00, 00, FF, E0] .text C:\Windows\system32\conhost.exe[3232] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x1eeb948; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00000000777313d0 6 bytes [48, B8, 50, FF, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 00000000777313d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077731480 6 bytes [48, B8, F8, FD, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077731488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes [48, B8, F8, F8, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000777315e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes [48, B8, 68, F6, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077731628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077731680 6 bytes [48, B8, 00, FB, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077731688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777316b0 6 bytes [48, B8, D0, EF, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000777316b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077731730 6 bytes [48, B8, A8, EE, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077731738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes [48, B8, 20, F5, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077731758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes [48, B8, 90, F6, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077731808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077731830 6 bytes [48, B8, 80, EE, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077731838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077731c20 6 bytes [48, B8, D8, FC, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077731c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077731c60 6 bytes [48, B8, F8, EF, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 0000000077731c68 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077731c80 6 bytes [48, B8, 40, F1, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077731c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077731c90 6 bytes [48, B8, 54, F7, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077731c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077731d10 6 bytes [48, B8, 88, F2, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077731d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077731d40 6 bytes [48, B8, D8, F3, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077731d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077731e00 6 bytes [48, B8, 40, FA, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077731e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777321e0 6 bytes [48, B8, 50, FF, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 00000000777321e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077732200 6 bytes [48, B8, 88, FF, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077732208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077732230 6 bytes [48, B8, 18, F1, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077732238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077732240 6 bytes [48, B8, 60, F2, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077732248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077732290 6 bytes [48, B8, B0, F3, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077732298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 00000000777322b0 6 bytes [48, B8, 5C, EE, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 00000000777322b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777322d0 6 bytes [48, B8, F8, F4, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 00000000777322d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077732410 6 bytes [48, B8, EC, FB, 1B, 02] .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077732418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x2198b64; JMP RAX} .text C:\Windows\system32\PresentationHost.exe[5848] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x21c00a8; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00000000777313d0 6 bytes [48, B8, 90, 6F, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 00000000777313d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077731480 6 bytes [48, B8, 38, 6E, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077731488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes [48, B8, 38, 69, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000777315e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes [48, B8, A8, 66, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077731628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077731680 6 bytes [48, B8, 40, 6B, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077731688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777316b0 6 bytes [48, B8, 10, 60, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000777316b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077731730 6 bytes [48, B8, E8, 5E, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077731738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes [48, B8, 60, 65, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077731758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes [48, B8, D0, 66, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077731808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077731830 6 bytes [48, B8, C0, 5E, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077731838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077731c20 6 bytes [48, B8, 18, 6D, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077731c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077731c60 6 bytes [48, B8, 38, 60, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 0000000077731c68 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077731c80 6 bytes [48, B8, 80, 61, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077731c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077731c90 6 bytes [48, B8, 94, 67, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077731c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077731d10 6 bytes [48, B8, C8, 62, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077731d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077731d40 6 bytes [48, B8, 18, 64, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077731d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077731e00 6 bytes [48, B8, 80, 6A, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077731e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777321e0 6 bytes [48, B8, 90, 6F, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 00000000777321e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077732200 6 bytes [48, B8, C8, 6F, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077732208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077732230 6 bytes [48, B8, 58, 61, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077732238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077732240 6 bytes [48, B8, A0, 62, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077732248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077732290 4 bytes [48, B8, F0, 63] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 5 0000000077732295 1 byte [01] .text ... * 2 .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 00000000777322b0 6 bytes [48, B8, 9C, 5E, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 00000000777322b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777322d0 6 bytes [48, B8, 38, 65, FB, 01] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 00000000777322d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077732410 5 bytes [48, B8, 2C, 6C, FB] .text C:\Windows\system32\cmd.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077732418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd2f1d90 12 bytes {MOV RAX, 0x1f8fba4; JMP RAX} .text C:\Windows\system32\cmd.exe[5900] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd305444 12 bytes {MOV RAX, 0x1fb70e8; JMP RAX} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c91465 2 bytes [C9, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c914bb 2 bytes [C9, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Explorer.EXE [1808:2584] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:2588] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:2592] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:2596] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:2600] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:2604] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:2632] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:5828] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:5832] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:5836] 0000000002655ed0 Thread C:\Windows\Explorer.EXE [1808:5840] 0000000002655ed0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3280:3980] 000007fefb872ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3280:1220] 000007feeec6d618 Thread C:\Windows\explorer.exe [5852:5864] 000000000216db10 Thread C:\Windows\explorer.exe [5852:5868] 000000000216db10 Thread C:\Windows\explorer.exe [5852:5880] 00000000000ee244 Thread C:\Windows\system32\ctfmon.exe [5872:5888] 0000000001c43fd0 Thread C:\Windows\system32\ctfmon.exe [5872:5892] 0000000001c43fd0 Thread C:\Windows\system32\ctfmon.exe [5872:5904] 00000000000fe7c4 Thread C:\Windows\system32\ctfmon.exe [5896:5908] 000000000051acf0 Thread C:\Windows\system32\ctfmon.exe [5896:5912] 000000000051acf0 Thread C:\Windows\system32\ctfmon.exe [5896:5916] 000000000012e244 Thread C:\Windows\system32\msiexec.exe [5920:5932] 000000000059a0b0 Thread C:\Windows\system32\msiexec.exe [5920:5936] 000000000059a0b0 Thread C:\Windows\system32\msiexec.exe [5920:5940] 00000000000df944 Thread C:\Windows\system32\dllhost.exe [5980:5992] 00000000005f0790 Thread C:\Windows\system32\dllhost.exe [5980:5996] 00000000005f0790 Thread C:\Windows\system32\dllhost.exe [5980:6000] 00000000000df084 Thread C:\Windows\system32\dllhost.exe [5980:5744] 00000000000e225c Thread C:\Windows\system32\msdtc.exe [6032:6044] 00000000033b24b0 Thread C:\Windows\system32\msdtc.exe [6032:6048] 00000000033b24b0 Thread C:\Windows\system32\msdtc.exe [6032:6052] 000000000015eec4 Thread C:\Windows\system32\cmd.exe [6064:6084] 0000000001fabdf0 Thread C:\Windows\system32\cmd.exe [6064:6088] 0000000001fabdf0 Thread C:\Windows\system32\cmd.exe [6064:6092] 000000000010fd04 Thread C:\Windows\system32\conhost.exe [5360:504] 00000000002bd350 Thread C:\Windows\system32\conhost.exe [5360:5468] 00000000002bd350 Thread C:\Windows\system32\conhost.exe [5360:5504] 000000000004ec44 Thread C:\Windows\system32\dllhost.exe [3332:3372] 0000000001c67330 Thread C:\Windows\system32\dllhost.exe [3332:5792] 0000000001c67330 Thread C:\Windows\system32\dllhost.exe [3332:5796] 00000000000df984 Thread C:\Windows\system32\conhost.exe [408:3832] 0000000001ee8090 Thread C:\Windows\system32\conhost.exe [408:1796] 0000000001ee8090 Thread C:\Windows\system32\conhost.exe [408:980] 000000000007fac4 Thread C:\Windows\system32\conhost.exe [3232:3364] 0000000001eeebb0 Thread C:\Windows\system32\conhost.exe [3232:5844] 0000000001eeebb0 Thread C:\Windows\system32\conhost.exe [3232:1856] 00000000000ef1c4 Thread C:\Windows\system32\PresentationHost.exe [5848:3296] 00000000021c3310 Thread C:\Windows\system32\PresentationHost.exe [5848:4408] 00000000021c3310 Thread C:\Windows\system32\PresentationHost.exe [5848:3196] 00000000000ee244 Thread C:\Windows\system32\cmd.exe [5900:4784] 0000000001fba350 Thread C:\Windows\system32\cmd.exe [5900:1588] 0000000001fba350 Thread C:\Windows\system32\cmd.exe [5900:5924] 00000000000ef4c4 ---- Processes - GMER 2.1 ---- Library C:\Users\Spider\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1808] (GG drive menu/GG Network S.A.)(2 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Spider\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- Files - GMER 2.1 ---- File C:\Users\Spider\AppData\Local\Temp\modules00 0 bytes File C:\Users\Spider\AppData\Local\Temp\modules11 0 bytes ---- EOF - GMER 2.1 ----