GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-06 22:59:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9750420AS rev.0001DEM1 698,64GB Running: 1mwe55yp.exe; Driver: C:\Users\Bubsky\AppData\Local\Temp\awrdipod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf41861 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf42db1 11 bytes [B8, 79, D0, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf43461 11 bytes [B8, 39, D2, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 39, 2D, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, B9, 29, 2B, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, 79, 2B, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf48f20 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, 79, 4E, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, F9, FD, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, B9, CE, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf4ca31 11 bytes [B8, F9, CC, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf537d1 11 bytes [B8, F9, 4E, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, B9, EA, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2a642d 11 bytes [B8, 39, 5B, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2a6484 12 bytes [48, B8, F9, 55, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2a6519 11 bytes [B8, 39, 62, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2a6c34 12 bytes [48, B8, 39, 54, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2a7ab5 11 bytes [B8, F9, 5C, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2a8b01 11 bytes [B8, B9, 57, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1776] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2a8c39 11 bytes [B8, 79, 59, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076ed85e1 11 bytes [B8, F9, 35, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076ee6921 7 bytes [B8, 39, 69, 2A, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076ee692a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076efda30 6 bytes [48, B8, B9, 3E, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076efda38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076efdaa0 6 bytes [48, B8, 79, C2, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076efdaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076efdb70 6 bytes [48, B8, 39, AF, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076efdb78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076efdbc0 6 bytes [48, B8, 39, 34, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076efdbc8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076efdc10 6 bytes [48, B8, F9, 32, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076efdc18 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076efdc30 6 bytes [48, B8, 39, 1C, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076efdc38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076efdc50 6 bytes [48, B8, F9, 1D, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076efdc58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076efdc70 6 bytes [48, B8, 79, AD, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076efdc78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076efdd20 6 bytes [48, B8, F9, 3C, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076efdd28 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076efdd50 6 bytes [48, B8, 79, 2F, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076efdd58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076efdd70 6 bytes [48, B8, 79, 36, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076efdd78 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076efde00 6 bytes [48, B8, B9, 34, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076efde08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076efde30 6 bytes [48, B8, 39, 0A, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076efde38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076efde50 6 bytes [48, B8, 79, 40, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076efde58 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076efde80 6 bytes [48, B8, 39, 2A, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076efde88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076efde90 6 bytes [48, B8, B9, 26, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076efde98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076efdf00 6 bytes [48, B8, 79, DE, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076efdf08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076efdfb0 6 bytes [48, B8, F9, 43, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076efdfb8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076efe380 6 bytes [48, B8, 39, 3B, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076efe388 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076efe3d0 6 bytes [48, B8, 79, 28, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076efe3d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076efe430 6 bytes [48, B8, F9, 24, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076efe438 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076efe7a0 6 bytes [48, B8, 39, C4, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076efe7a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076efe970 6 bytes [48, B8, 79, 32, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076efe978 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076efece0 6 bytes [48, B8, 79, 83, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076efece8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076efeee0 6 bytes [48, B8, 39, 31, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076efeee8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076eff0a0 6 bytes [48, B8, F9, C5, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076eff0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076eff180 6 bytes [48, B8, 79, 3D, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076eff188 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076eff190 6 bytes [48, B8, B9, 3B, 2A, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076eff198 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076eff1a0 6 bytes [48, B8, 39, 42, 2B, 75] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076eff1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f6f0c1 11 bytes [B8, 39, 85, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf41861 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf42db1 11 bytes [B8, 79, B4, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf43461 11 bytes [B8, 39, B6, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 79, 0F, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, F9, 0B, 2B, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, B9, 0D, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf48f20 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, B9, 30, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, 39, E0, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, B9, B2, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf4ca31 11 bytes [B8, F9, B0, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf537d1 11 bytes [B8, F9, 4E, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, B9, CE, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefdfeb031 11 bytes [B8, B9, 45, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe004991 11 bytes [B8, F9, 20, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe0049b1 11 bytes [B8, B9, 22, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe019209 11 bytes [B8, 39, 26, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefee7ae81 11 bytes [B8, B9, 29, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefee7aee1 11 bytes [B8, 39, 11, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefee7e6e9 11 bytes [B8, F9, 2E, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefee8048d 11 bytes [B8, F9, 12, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefee80579 11 bytes [B8, F9, 27, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefee805b1 11 bytes [B8, 79, 2B, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefee805f9 5 bytes [B8, 39, 2D, 2B, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefee94e21 11 bytes [B8, 39, 49, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefee95538 12 bytes [48, B8, B9, 6C, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeeab9c1 7 bytes [B8, 79, 16, 2B, 75, 00, 00] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeeab9ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeeaba4c 12 bytes [48, B8, F9, 6A, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeeabbc0 12 bytes [48, B8, 79, 60, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeeabc2c 12 bytes [48, B8, B9, 5E, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdd113b1 11 bytes [B8, B9, AB, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdd118e0 12 bytes [48, B8, F9, A9, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdd11bd1 11 bytes [B8, 39, A8, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdd12201 11 bytes [B8, 39, 1F, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdd123c0 12 bytes [48, B8, 39, 8C, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!connect 000007fefdd145c0 12 bytes [48, B8, 79, 67, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdd18001 11 bytes [B8, 79, A6, 2A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdd18df0 7 bytes [48, B8, B9, 8F, 2A, 75, 00] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdd18df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefdd1c090 12 bytes [48, B8, F9, 8D, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdd1de91 11 bytes [B8, 39, 18, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdd1df41 11 bytes [B8, 79, 1D, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdd3e0f1 11 bytes [B8, B9, 1B, 2B, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1892] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fefb0822e0 12 bytes [48, B8, F9, A2, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fefb0845f8 12 bytes [48, B8, 39, A1, 2A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1892] c:\windows\system32\WINHTTP.dll!WinHttpConnect 000007fefb093e3c 12 bytes [48, B8, B9, A4, 2A, 75, 00, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000770af968 5 bytes JMP 0000000175169209 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770afa20 5 bytes JMP 00000001751667e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770afb68 5 bytes JMP 00000001751661f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000770afbe8 5 bytes JMP 0000000175168de1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770afc60 5 bytes JMP 00000001751631d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770afc90 5 bytes JMP 00000001751615f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770afcc0 5 bytes JMP 0000000175161689 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770afcf0 5 bytes JMP 0000000175166159 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000770afe08 5 bytes JMP 0000000175169171 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770afe54 5 bytes JMP 00000001751630a9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770afe84 5 bytes JMP 0000000175163309 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000770aff00 5 bytes JMP 0000000175167161 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770aff64 5 bytes JMP 0000000175163271 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000770affb4 5 bytes JMP 0000000175167fa1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000770affe4 5 bytes JMP 00000001751692a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770b002c 5 bytes JMP 0000000175162ee1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770b0044 5 bytes JMP 0000000175162db1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770b00f4 5 bytes JMP 0000000175161ed9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770b0204 5 bytes JMP 0000000175162301 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770b07dc 5 bytes JMP 00000001751690d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770b0854 5 bytes JMP 0000000175162e49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770b08e4 5 bytes JMP 0000000175162d19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770b0e34 5 bytes JMP 0000000175166879 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000770b1100 5 bytes JMP 0000000175168d49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770b1644 5 bytes JMP 0000000175164ac9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770b1960 5 bytes JMP 0000000175163141 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770b1c24 5 bytes JMP 0000000175166911 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770b1d94 5 bytes JMP 0000000175163439 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770b1db0 5 bytes JMP 00000001751633a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000770b1dcc 5 bytes JMP 0000000175169339 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770b1f28 5 bytes JMP 0000000175168f11 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770c28e4 5 bytes JMP 0000000175161ab1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000770c8e61 5 bytes JMP 0000000175168e79 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000770f0eab 5 bytes JMP 0000000175162009 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077138b7f 5 bytes JMP 0000000175164b61 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007713ee1b 5 bytes JMP 0000000175161f71 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075790e00 5 bytes JMP 0000000175161da9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075791072 5 bytes JMP 0000000175162a21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007579498f 5 bytes JMP 00000001751625f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757a3bab 5 bytes JMP 0000000175163011 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757a9aa4 5 bytes JMP 00000001751670c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000757a9b05 5 bytes JMP 0000000175166e69 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000757b7327 5 bytes JMP 0000000175162729 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000757b88da 5 bytes JMP 0000000175166749 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000757bccb1 5 bytes JMP 0000000175166d39 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757bccd1 5 bytes JMP 0000000175166f99 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075813161 5 bytes JMP 00000001751628f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007583759b 5 bytes JMP 00000001751646a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000758375be 5 bytes JMP 00000001751647d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075837969 5 bytes JMP 0000000175164901 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000758379e2 5 bytes JMP 0000000175164a31 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c48f8d 5 bytes JMP 0000000175161a19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c4c436 5 bytes JMP 0000000175163b59 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076c4d0af 5 bytes JMP 00000001751671f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c4eca6 5 bytes JMP 0000000175163601 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c4f206 5 bytes JMP 0000000175162399 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c4fa89 5 bytes JMP 0000000175161e41 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076c4fbb7 5 bytes JMP 0000000175166c09 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c51358 5 bytes JMP 0000000175163ac1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c5137f 5 bytes JMP 0000000175163a29 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c51d29 5 bytes JMP 0000000175161981 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c51e15 5 bytes JMP 00000001751624c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c52ab1 5 bytes JMP 0000000175166321 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c52cdf 5 bytes JMP 0000000175166289 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c52d1d 5 bytes JMP 00000001751663b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c52e80 5 bytes JMP 00000001751618e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c53b76 5 bytes JMP 0000000175162269 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c5449c 5 bytes JMP 0000000175162431 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c5460e 5 bytes JMP 0000000175163569 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c54637 5 bytes JMP 0000000175162c81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076c5a217 5 bytes JMP 00000001751680d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076c5a426 5 bytes JMP 0000000175168169 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076c5a500 5 bytes JMP 0000000175168039 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c5c73a 5 bytes JMP 00000001751627c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076c5e2a4 5 bytes JMP 0000000175168cb1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000001f8e89 5 bytes JMP 0000000075168331 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000001f9179 5 bytes JMP 0000000075168201 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000001f9186 5 bytes JMP 0000000075168a51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000001fc4d2 5 bytes JMP 0000000075168c19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000001fc9ec 5 bytes JMP 0000000075163c89 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000001fdeb4 5 bytes JMP 0000000075168299 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000001fded6 5 bytes JMP 0000000075168b81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000001fdeee 5 bytes JMP 00000000751689b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000001fdf1e 5 bytes JMP 0000000075168ae9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000000202b50 5 bytes JMP 0000000075163bf1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000002035fc 5 bytes JMP 00000000751640b1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000000020494d 5 bytes JMP 00000000751693d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 000000000021714c 5 bytes JMP 0000000075164311 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000000217164 5 bytes JMP 0000000075163e51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000000021717c 5 bytes JMP 0000000075163ee9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000002177c3 5 bytes JMP 00000000751683c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000000233384 5 bytes JMP 0000000075163f81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000000233394 5 bytes JMP 0000000075164019 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000002333a4 5 bytes JMP 0000000075163d21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000002333b4 5 bytes JMP 0000000075163db9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000002333f4 5 bytes JMP 0000000075164279 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000000e1a472 5 bytes JMP 0000000075169469 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000000e227ce 5 bytes JMP 0000000075161be1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000000e2e6cf 5 bytes JMP 0000000075161b49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a33918 5 bytes JMP 00000001751660c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a33cd3 5 bytes JMP 0000000175166029 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a33eb8 5 bytes JMP 0000000175168461 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a34406 5 bytes JMP 0000000175162139 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a34889 5 bytes JMP 0000000175165741 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a36b0e 5 bytes JMP 0000000175168629 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a36bdd 1 byte JMP 00000001751641e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a36bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!send 0000000075a36f01 5 bytes JMP 00000001751620a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a37089 5 bytes JMP 00000001751686c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a3cc3f 5 bytes JMP 0000000175168591 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a3d1ea 5 bytes JMP 00000001751657d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2028] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a47673 5 bytes JMP 0000000175165871 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000770af968 5 bytes JMP 0000000175169209 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770afa20 5 bytes JMP 00000001751667e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770afb68 5 bytes JMP 00000001751661f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000770afbe8 5 bytes JMP 0000000175168de1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770afc60 5 bytes JMP 00000001751631d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770afc90 5 bytes JMP 00000001751615f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770afcc0 5 bytes JMP 0000000175161689 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770afcf0 5 bytes JMP 0000000175166159 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000770afe08 5 bytes JMP 0000000175169171 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770afe54 5 bytes JMP 00000001751630a9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770afe84 5 bytes JMP 0000000175163309 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000770aff00 5 bytes JMP 0000000175167161 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770aff64 5 bytes JMP 0000000175163271 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000770affb4 5 bytes JMP 0000000175167fa1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000770affe4 5 bytes JMP 00000001751692a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770b002c 5 bytes JMP 0000000175162ee1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770b0044 5 bytes JMP 0000000175162db1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770b00f4 5 bytes JMP 0000000175161ed9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770b0204 5 bytes JMP 0000000175162301 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770b07dc 5 bytes JMP 00000001751690d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770b0854 5 bytes JMP 0000000175162e49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770b08e4 5 bytes JMP 0000000175162d19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770b0e34 5 bytes JMP 0000000175166879 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000770b1100 5 bytes JMP 0000000175168d49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770b1644 5 bytes JMP 0000000175164ac9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770b1960 5 bytes JMP 0000000175163141 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770b1c24 5 bytes JMP 0000000175166911 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770b1d94 5 bytes JMP 0000000175163439 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770b1db0 5 bytes JMP 00000001751633a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000770b1dcc 5 bytes JMP 0000000175169339 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770b1f28 5 bytes JMP 0000000175168f11 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770c28e4 5 bytes JMP 0000000175161ab1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000770c8e61 5 bytes JMP 0000000175168e79 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000770f0eab 5 bytes JMP 0000000175162009 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077138b7f 5 bytes JMP 0000000175164b61 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007713ee1b 5 bytes JMP 0000000175161f71 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075790e00 5 bytes JMP 0000000175161da9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075791072 5 bytes JMP 0000000175162a21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007579498f 5 bytes JMP 00000001751625f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757a3bab 5 bytes JMP 0000000175163011 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757a9aa4 5 bytes JMP 00000001751670c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000757a9b05 5 bytes JMP 0000000175166e69 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000757b7327 5 bytes JMP 0000000175162729 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000757b88da 5 bytes JMP 0000000175166749 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000757bccb1 5 bytes JMP 0000000175166d39 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757bccd1 5 bytes JMP 0000000175166f99 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075813161 5 bytes JMP 00000001751628f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007583759b 5 bytes JMP 00000001751646a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000758375be 5 bytes JMP 00000001751647d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075837969 5 bytes JMP 0000000175164901 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000758379e2 5 bytes JMP 0000000175164a31 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c48f8d 5 bytes JMP 0000000175161a19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c4c436 5 bytes JMP 0000000175163b59 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076c4d0af 5 bytes JMP 00000001751671f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c4eca6 5 bytes JMP 0000000175163601 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c4f206 5 bytes JMP 0000000175162399 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c4fa89 5 bytes JMP 0000000175161e41 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076c4fbb7 5 bytes JMP 0000000175166c09 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c51358 5 bytes JMP 0000000175163ac1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c5137f 5 bytes JMP 0000000175163a29 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c51d29 5 bytes JMP 0000000175161981 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c51e15 5 bytes JMP 00000001751624c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c52ab1 5 bytes JMP 0000000175166321 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c52cdf 5 bytes JMP 0000000175166289 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c52d1d 5 bytes JMP 00000001751663b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c52e80 5 bytes JMP 00000001751618e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c53b76 5 bytes JMP 0000000175162269 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c5449c 5 bytes JMP 0000000175162431 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c5460e 5 bytes JMP 0000000175163569 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c54637 5 bytes JMP 0000000175162c81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076c5a217 5 bytes JMP 00000001751680d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076c5a426 5 bytes JMP 0000000175168169 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076c5a500 5 bytes JMP 0000000175168039 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c5c73a 5 bytes JMP 00000001751627c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076c5e2a4 5 bytes JMP 0000000175168cb1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000000025a472 5 bytes JMP 00000000751693d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000002627ce 5 bytes JMP 0000000075161be1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000000026e6cf 5 bytes JMP 0000000075161b49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000755e78e2 5 bytes JMP 0000000175164441 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000755e7bd3 5 bytes JMP 00000001751643a9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000755e8a29 5 bytes JMP 0000000175165909 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000755e98fd 5 bytes JMP 0000000175166581 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000755eb6ed 5 bytes JMP 0000000175169469 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000755ed22e 5 bytes JMP 00000001751659a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755eee09 5 bytes JMP 00000001751634d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000755effe6 5 bytes JMP 0000000175166451 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000755f00d9 5 bytes JMP 00000001751664e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000755f05ba 5 bytes JMP 0000000175164571 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000755f0dfb 5 bytes JMP 0000000175165a39 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000755f12a5 5 bytes JMP 0000000175169041 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000755f20ec 5 bytes JMP 0000000175165dc9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000755f3baa 5 bytes JMP 0000000175168fa9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 00000000755f4ab6 5 bytes JMP 0000000175168889 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000755f5f74 5 bytes JMP 00000001751644d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000755f6285 5 bytes JMP 0000000175164bf9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755f7603 5 bytes JMP 0000000175162be9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000755f7aee 5 bytes JMP 0000000175165d31 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755f835c 5 bytes JMP 0000000175162b51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007560ce54 5 bytes JMP 0000000175165b69 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007560f52b 5 bytes JMP 0000000175164c91 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007560f588 5 bytes JMP 0000000175166619 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756110a0 5 bytes JMP 0000000175165ad1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007563fcd6 5 bytes JMP 0000000175165c01 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007563fcfa 5 bytes JMP 0000000175165c99 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000004e8e89 5 bytes JMP 0000000075168331 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000004e9179 5 bytes JMP 0000000075168201 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000004e9186 5 bytes JMP 0000000075168a51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000004ec4d2 5 bytes JMP 0000000075168c19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000004ec9ec 5 bytes JMP 0000000075163c89 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000004edeb4 5 bytes JMP 0000000075168299 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000004eded6 5 bytes JMP 0000000075168b81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000004edeee 5 bytes JMP 00000000751689b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000004edf1e 5 bytes JMP 0000000075168ae9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000004f2b50 5 bytes JMP 0000000075163bf1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000004f35fc 5 bytes JMP 00000000751640b1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000004f494d 5 bytes JMP 0000000075169599 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 000000000050714c 5 bytes JMP 0000000075164311 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000000507164 5 bytes JMP 0000000075163e51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000000050717c 5 bytes JMP 0000000075163ee9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000005077c3 5 bytes JMP 00000000751683c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000000523384 5 bytes JMP 0000000075163f81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000000523394 5 bytes JMP 0000000075164019 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000005233a4 5 bytes JMP 0000000075163d21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000005233b4 5 bytes JMP 0000000075163db9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000005233f4 5 bytes JMP 0000000075164279 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a33918 5 bytes JMP 00000001751660c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a33cd3 5 bytes JMP 0000000175166029 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a33eb8 5 bytes JMP 0000000175168461 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a34406 5 bytes JMP 0000000175162139 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a34889 5 bytes JMP 0000000175165741 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a36b0e 5 bytes JMP 0000000175168629 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a36bdd 1 byte JMP 00000001751641e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a36bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!send 0000000075a36f01 5 bytes JMP 00000001751620a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a37089 5 bytes JMP 00000001751686c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a3cc3f 5 bytes JMP 0000000175168591 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a3d1ea 5 bytes JMP 00000001751657d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2056] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a47673 5 bytes JMP 0000000175165871 .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf41861 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf42db1 11 bytes [B8, 79, B4, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf43461 11 bytes [B8, 39, B6, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 79, 0F, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, F9, 0B, 2B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, B9, 0D, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf48f20 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, B9, 30, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, 39, E0, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, B9, B2, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf4ca31 11 bytes [B8, F9, B0, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf537d1 11 bytes [B8, F9, 4E, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, B9, CE, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefdfeb031 11 bytes [B8, 39, 49, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe004991 11 bytes [B8, F9, 20, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe0049b1 11 bytes [B8, B9, 22, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe019209 11 bytes [B8, 39, 26, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076ed85e1 11 bytes [B8, B9, 37, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076ee6921 7 bytes [B8, 39, 69, 2A, 75, 00, 00] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076ee692a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076efda30 6 bytes [48, B8, B9, 45, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076efda38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076efdaa0 6 bytes [48, B8, 79, C2, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076efdaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076efdb70 6 bytes [48, B8, 39, AF, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076efdb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076efdbc0 6 bytes [48, B8, F9, 35, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076efdbc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076efdc10 6 bytes [48, B8, F9, 32, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076efdc18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076efdc30 6 bytes [48, B8, 39, 1C, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076efdc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076efdc50 6 bytes [48, B8, F9, 1D, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076efdc58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076efdc70 6 bytes [48, B8, 79, AD, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076efdc78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076efdd20 6 bytes [48, B8, F9, 43, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076efdd28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076efdd50 6 bytes [48, B8, 79, 2F, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076efdd58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076efdd70 6 bytes [48, B8, 79, 36, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076efdd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076efddc0 6 bytes [48, B8, 79, DE, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076efddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076efde00 6 bytes [48, B8, B9, 34, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076efde08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076efde30 6 bytes [48, B8, F9, 0B, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076efde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076efde50 6 bytes [48, B8, 79, 47, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076efde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076efde80 6 bytes [48, B8, 39, 2A, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076efde88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076efde90 6 bytes [48, B8, B9, 26, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076efde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076efdf00 6 bytes [48, B8, 39, E0, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076efdf08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076efdfb0 6 bytes [48, B8, F9, 4A, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076efdfb8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076efe380 6 bytes [48, B8, 39, 42, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076efe388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076efe3d0 6 bytes [48, B8, 79, 28, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076efe3d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076efe430 6 bytes [48, B8, F9, 24, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076efe438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076efe7a0 6 bytes [48, B8, 39, C4, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076efe7a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076efe970 6 bytes [48, B8, 39, 34, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076efe978 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076efece0 6 bytes [48, B8, 79, 83, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076efece8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076efeee0 6 bytes [48, B8, 39, 31, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076efeee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076eff0a0 6 bytes [48, B8, F9, C5, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076eff0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076eff180 6 bytes [48, B8, 79, 3D, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076eff188 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076eff190 6 bytes [48, B8, B9, 3B, 2A, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076eff198 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076eff1a0 6 bytes [48, B8, 39, 49, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076eff1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076eff280 6 bytes [48, B8, F9, 3C, 2B, 75] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076eff288 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f6f0c1 11 bytes [B8, 39, 85, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf41861 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf42db1 11 bytes [B8, 79, B4, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf43461 11 bytes [B8, 39, B6, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 39, 11, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, B9, 0D, 2B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, 79, 0F, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf48f20 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, 79, 32, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, F9, E1, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, B9, B2, 2A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf4ca31 11 bytes [B8, F9, B0, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf537d1 11 bytes [B8, F9, 4E, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, B9, CE, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefdfeb031 11 bytes [B8, B9, 4C, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe004991 11 bytes [B8, B9, 22, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe0049b1 11 bytes [B8, 79, 24, 2B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe019209 11 bytes [B8, F9, 27, 2B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076ed85e1 11 bytes [B8, F9, C5, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076ee6921 7 bytes [B8, F9, 55, 2A, 75, 00, 00] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076ee692a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076efdb70 6 bytes [48, B8, F9, 5C, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076efdb78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076efdbc0 6 bytes [48, B8, 39, C4, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076efdbc8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076efdc10 6 bytes [48, B8, F9, 32, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076efdc18 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076efdc30 6 bytes [48, B8, 39, 1C, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076efdc38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076efdc50 6 bytes [48, B8, F9, 1D, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076efdc58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076efdc70 6 bytes [48, B8, 39, 5B, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076efdc78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076efdd20 6 bytes [48, B8, B9, D5, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076efdd28 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076efdd50 6 bytes [48, B8, 79, 2F, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076efdd58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076efdd70 6 bytes [48, B8, 79, 36, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076efdd78 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076efddc0 6 bytes [48, B8, F9, 71, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076efddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076efde00 6 bytes [48, B8, B9, 34, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076efde08 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076efde30 6 bytes [48, B8, F9, A2, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076efde38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076efde50 6 bytes [48, B8, 79, D7, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076efde58 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076efde80 6 bytes [48, B8, 39, 2A, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076efde88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076efde90 6 bytes [48, B8, B9, 26, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076efde98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076efdf00 6 bytes [48, B8, B9, 73, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076efdf08 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076efdfb0 6 bytes [48, B8, F9, DA, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076efdfb8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076efe380 6 bytes [48, B8, F9, D3, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076efe388 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076efe3d0 6 bytes [48, B8, 79, 28, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076efe3d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076efe430 6 bytes [48, B8, F9, 24, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076efe438 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076efe7a0 6 bytes [48, B8, B9, 5E, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076efe7a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076efe970 6 bytes [48, B8, 79, C2, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076efe978 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076efeee0 6 bytes [48, B8, 39, 31, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076efeee8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076eff0a0 6 bytes [48, B8, 79, 60, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076eff0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076eff180 6 bytes [48, B8, 79, 3D, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076eff188 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076eff190 6 bytes [48, B8, B9, 3B, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076eff198 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076eff1a0 6 bytes [48, B8, 39, D9, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076eff1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076eff280 6 bytes [48, B8, 39, CB, 2A, 75] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076eff288 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076c91c10 12 bytes [48, B8, F9, 39, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076c92b61 8 bytes [B8, 39, 69, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076c92b6a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cadb10 12 bytes [48, B8, B9, 2D, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076cb0951 11 bytes [B8, 79, C9, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076d1f4e1 11 bytes [B8, 39, 70, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076d1f6e1 11 bytes [B8, B9, 6C, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076d1f711 8 bytes [B8, B9, 65, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076d1f71a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 39, A8, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, B9, A4, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, 79, A6, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, B9, C0, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, 79, 75, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, 79, B4, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, 39, 62, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefee7ae81 11 bytes [B8, B9, B9, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefee7aee1 11 bytes [B8, F9, A9, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefee7e6e9 11 bytes [B8, F9, BE, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefee8048d 11 bytes [B8, B9, AB, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefee80579 11 bytes [B8, F9, B7, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefee805b1 11 bytes [B8, 79, BB, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefee805f9 5 bytes [B8, 39, BD, 2A, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefee94e21 11 bytes [B8, B9, DC, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefee95538 12 bytes [48, B8, 79, 59, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeeab9c1 7 bytes [B8, 39, AF, 2A, 75, 00, 00] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeeab9ca 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeeaba4c 12 bytes [48, B8, B9, 57, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeeabbc0 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeeabc2c 12 bytes [48, B8, F9, 4E, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2a642d 11 bytes [B8, 79, 4B, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2a6484 12 bytes [48, B8, 39, 46, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2a6519 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2a6c34 12 bytes [48, B8, 79, 44, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2a7ab5 11 bytes [B8, 39, 4D, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2a8b01 11 bytes [B8, F9, 47, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2a8c39 11 bytes [B8, B9, 49, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefdfeb031 11 bytes [B8, 79, DE, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe004991 11 bytes [B8, F9, B0, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe0049b1 11 bytes [B8, B9, B2, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe019209 11 bytes [B8, 39, B6, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefd2e4460 12 bytes [48, B8, 79, 98, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefd30ede1 11 bytes [B8, F9, 94, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA 000007fefd391170 12 bytes [48, B8, B9, 96, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefd3912f0 12 bytes [48, B8, 39, 93, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetCloseHandle + 1 000007fefef7b1c1 11 bytes [B8, 39, A1, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!HttpOpenRequestW + 1 000007fefef7c6d1 11 bytes [B8, 79, 8A, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetConnectW + 1 000007fefef829b1 11 bytes [B8, F9, 86, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!HttpSendRequestW + 1 000007fefef83ba1 11 bytes [B8, F9, 8D, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetReadFile + 1 000007fefef84c81 11 bytes [B8, F9, 78, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetOpenW + 1 000007fefefbddc1 11 bytes [B8, 79, 7C, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefefbdf60 12 bytes [48, B8, B9, 7A, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!HttpSendRequestExW + 1 000007fefefcc461 11 bytes [B8, 79, 91, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetWriteFile + 1 000007fefefcc921 11 bytes [B8, 39, 77, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!HttpSendRequestA + 1 000007feff00f691 11 bytes [B8, 39, 8C, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetConnectA + 1 000007feff06e9b1 11 bytes [B8, 39, 85, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetOpenUrlA + 1 000007feff06eda1 11 bytes [B8, 39, 7E, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!InternetOpenUrlW + 1 000007feff06fa51 11 bytes [B8, F9, 7F, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!FtpGetFileA 000007feff080360 12 bytes [48, B8, 39, 9A, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!FtpOpenFileA + 1 000007feff080811 11 bytes [B8, B9, 81, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!FtpPutFileA 000007feff0808f0 12 bytes [48, B8, B9, 9D, 2A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!FtpGetFileW + 1 000007feff084261 11 bytes [B8, F9, 9B, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!FtpOpenFileW + 1 000007feff084371 11 bytes [B8, 79, 83, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!FtpPutFileW + 1 000007feff084571 11 bytes [B8, 79, 9F, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!HttpSendRequestExA + 1 000007feff098751 11 bytes [B8, B9, 8F, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WININET.dll!HttpOpenRequestA + 1 000007feff09b221 11 bytes [B8, B9, 88, 2A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2700] C:\Windows\system32\WS2_32.dll!connect 000007fefdd145c0 12 bytes [48, B8, 39, 54, 2A, 75, 00, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000770af968 5 bytes JMP 0000000175169209 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770afa20 5 bytes JMP 00000001751667e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770afb68 5 bytes JMP 00000001751661f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000770afbe8 5 bytes JMP 0000000175168de1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770afc60 5 bytes JMP 00000001751631d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770afc90 5 bytes JMP 00000001751615f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770afcc0 5 bytes JMP 0000000175161689 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770afcf0 5 bytes JMP 0000000175166159 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000770afe08 5 bytes JMP 0000000175169171 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770afe54 5 bytes JMP 00000001751630a9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770afe84 5 bytes JMP 0000000175163309 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000770aff00 5 bytes JMP 0000000175167161 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770aff64 5 bytes JMP 0000000175163271 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000770affb4 5 bytes JMP 0000000175167fa1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000770affe4 5 bytes JMP 00000001751692a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770b002c 5 bytes JMP 0000000175162ee1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770b0044 5 bytes JMP 0000000175162db1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770b00f4 5 bytes JMP 0000000175161ed9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770b0204 5 bytes JMP 0000000175162301 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770b07dc 5 bytes JMP 00000001751690d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770b0854 5 bytes JMP 0000000175162e49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770b08e4 5 bytes JMP 0000000175162d19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770b0e34 5 bytes JMP 0000000175166879 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000770b1100 5 bytes JMP 0000000175168d49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770b1644 5 bytes JMP 0000000175164ac9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770b1960 5 bytes JMP 0000000175163141 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770b1c24 5 bytes JMP 0000000175166911 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770b1d94 5 bytes JMP 0000000175163439 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770b1db0 5 bytes JMP 00000001751633a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000770b1dcc 5 bytes JMP 0000000175169339 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770b1f28 5 bytes JMP 0000000175168f11 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770c28e4 5 bytes JMP 0000000175161ab1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000770c8e61 5 bytes JMP 0000000175168e79 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000770f0eab 5 bytes JMP 0000000175162009 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077138b7f 5 bytes JMP 0000000175164b61 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007713ee1b 5 bytes JMP 0000000175161f71 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075790e00 5 bytes JMP 0000000175161da9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075791072 5 bytes JMP 0000000175162a21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007579498f 5 bytes JMP 00000001751625f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757a3bab 5 bytes JMP 0000000175163011 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757a9aa4 5 bytes JMP 00000001751670c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000757a9b05 5 bytes JMP 0000000175166e69 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000757b7327 5 bytes JMP 0000000175162729 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000757b88da 5 bytes JMP 0000000175166749 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000757bccb1 5 bytes JMP 0000000175166d39 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757bccd1 5 bytes JMP 0000000175166f99 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075813161 5 bytes JMP 00000001751628f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007583759b 5 bytes JMP 00000001751646a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000758375be 5 bytes JMP 00000001751647d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075837969 5 bytes JMP 0000000175164901 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000758379e2 5 bytes JMP 0000000175164a31 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c48f8d 5 bytes JMP 0000000175161a19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c4c436 5 bytes JMP 0000000175163b59 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076c4d0af 5 bytes JMP 00000001751671f9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c4eca6 5 bytes JMP 0000000175163601 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c4f206 5 bytes JMP 0000000175162399 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c4fa89 5 bytes JMP 0000000175161e41 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076c4fbb7 5 bytes JMP 0000000175166c09 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c51358 5 bytes JMP 0000000175163ac1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c5137f 5 bytes JMP 0000000175163a29 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c51d29 5 bytes JMP 0000000175161981 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c51e15 5 bytes JMP 00000001751624c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c52ab1 5 bytes JMP 0000000175166321 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c52cdf 5 bytes JMP 0000000175166289 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c52d1d 5 bytes JMP 00000001751663b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c52e80 5 bytes JMP 00000001751618e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c53b76 5 bytes JMP 0000000175162269 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c5449c 5 bytes JMP 0000000175162431 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c5460e 5 bytes JMP 0000000175163569 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c54637 5 bytes JMP 0000000175162c81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076c5a217 5 bytes JMP 00000001751680d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076c5a426 5 bytes JMP 0000000175168169 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076c5a500 5 bytes JMP 0000000175168039 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c5c73a 5 bytes JMP 00000001751627c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076c5e2a4 5 bytes JMP 0000000175168cb1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000000025a472 5 bytes JMP 00000000751693d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000002627ce 5 bytes JMP 0000000075161be1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000000026e6cf 5 bytes JMP 0000000075161b49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000755e78e2 5 bytes JMP 0000000175164441 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000755e7bd3 5 bytes JMP 00000001751643a9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000755e8a29 5 bytes JMP 0000000175165909 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000755e98fd 5 bytes JMP 0000000175166581 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000755eb6ed 5 bytes JMP 0000000175169469 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000755ed22e 5 bytes JMP 00000001751659a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755eee09 5 bytes JMP 00000001751634d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000755effe6 5 bytes JMP 0000000175166451 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000755f00d9 5 bytes JMP 00000001751664e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000755f05ba 5 bytes JMP 0000000175164571 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000755f0dfb 5 bytes JMP 0000000175165a39 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000755f12a5 5 bytes JMP 0000000175169041 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000755f20ec 5 bytes JMP 0000000175165dc9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000755f3baa 5 bytes JMP 0000000175168fa9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 00000000755f4ab6 5 bytes JMP 0000000175168889 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000755f5f74 5 bytes JMP 00000001751644d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000755f6285 5 bytes JMP 0000000175164bf9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755f7603 5 bytes JMP 0000000175162be9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000755f7aee 5 bytes JMP 0000000175165d31 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755f835c 5 bytes JMP 0000000175162b51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007560ce54 5 bytes JMP 0000000175165b69 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007560f52b 5 bytes JMP 0000000175164c91 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007560f588 5 bytes JMP 0000000175166619 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756110a0 5 bytes JMP 0000000175165ad1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007563fcd6 5 bytes JMP 0000000175165c01 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007563fcfa 5 bytes JMP 0000000175165c99 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 00000000752f633b 5 bytes JMP 0000000175169501 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007531868d 5 bytes JMP 0000000175168759 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000753186ac 5 bytes JMP 00000001751687f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000753240e9 5 bytes JMP 0000000175168921 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 00000000004d8e89 5 bytes JMP 0000000075168331 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 00000000004d9179 5 bytes JMP 0000000075168201 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 00000000004d9186 5 bytes JMP 0000000075168a51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 00000000004dc4d2 5 bytes JMP 0000000075168c19 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000004dc9ec 5 bytes JMP 0000000075163c89 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 00000000004ddeb4 5 bytes JMP 0000000075168299 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 00000000004dded6 5 bytes JMP 0000000075168b81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 00000000004ddeee 5 bytes JMP 00000000751689b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 00000000004ddf1e 5 bytes JMP 0000000075168ae9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000004e2b50 5 bytes JMP 0000000075163bf1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000004e35fc 5 bytes JMP 00000000751640b1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000004e494d 5 bytes JMP 0000000075169599 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000004f714c 5 bytes JMP 0000000075164311 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000004f7164 5 bytes JMP 0000000075163e51 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000004f717c 5 bytes JMP 0000000075163ee9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000004f77c3 5 bytes JMP 00000000751683c9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000000513384 5 bytes JMP 0000000075163f81 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000000513394 5 bytes JMP 0000000075164019 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000005133a4 5 bytes JMP 0000000075163d21 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000005133b4 5 bytes JMP 0000000075163db9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000005133f4 5 bytes JMP 0000000075164279 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000076010199 5 bytes JMP 0000000175164d29 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a33918 5 bytes JMP 00000001751660c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a33cd3 5 bytes JMP 0000000175166029 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a33eb8 5 bytes JMP 0000000175168461 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a34406 5 bytes JMP 0000000175162139 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a34889 5 bytes JMP 0000000175165741 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a36b0e 5 bytes JMP 0000000175168629 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a36bdd 1 byte JMP 00000001751641e1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a36bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!send 0000000075a36f01 5 bytes JMP 00000001751620a1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a37089 5 bytes JMP 00000001751686c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a3cc3f 5 bytes JMP 0000000175168591 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a3d1ea 5 bytes JMP 00000001751657d9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a47673 5 bytes JMP 0000000175165871 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000311401 2 bytes JMP 757bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000311419 2 bytes JMP 757bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000311431 2 bytes JMP 75838fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000031144a 2 bytes CALL 7579489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000003114dd 2 bytes JMP 758388c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000003114f5 2 bytes JMP 75838aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000031150d 2 bytes JMP 758387ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000311525 2 bytes JMP 75838b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000031153d 2 bytes JMP 757afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000311555 2 bytes JMP 757b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000031156d 2 bytes JMP 75839089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000311585 2 bytes JMP 75838bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000031159d 2 bytes JMP 7583877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000003115b5 2 bytes JMP 757afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000003115cd 2 bytes JMP 757bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000003116b2 2 bytes JMP 75838f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000003116bd 2 bytes JMP 75838713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000075e15e10 5 bytes JMP 0000000175167b79 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetWriteFile 0000000075e15f90 5 bytes JMP 0000000175167291 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 0000000075e2d480 5 bytes JMP 0000000175167f09 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 0000000075e31310 5 bytes JMP 0000000175167919 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000075e34040 5 bytes JMP 0000000175167a49 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetConnectW 0000000075e34fa0 5 bytes JMP 00000001751677e9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetReadFile 0000000075e3d510 5 bytes JMP 0000000175167329 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetOpenA 0000000075e67440 5 bytes JMP 00000001751673c1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetOpenW 0000000075e679d0 5 bytes JMP 0000000175167459 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000075e8d780 5 bytes JMP 00000001751679b1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetConnectA 0000000075e937a0 5 bytes JMP 0000000175167751 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 0000000075e93830 5 bytes JMP 0000000175167881 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000075ee61e0 5 bytes JMP 00000001751674f1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000075ee6d20 5 bytes JMP 0000000175167589 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!FtpGetFileA 0000000075ef4c10 5 bytes JMP 0000000175167ca9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000075ef4fd0 5 bytes JMP 0000000175167621 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000075ef5060 5 bytes JMP 0000000175167dd9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000075ef8130 5 bytes JMP 0000000175167d41 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000075ef81d0 5 bytes JMP 00000001751676b9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!FtpPutFileW 0000000075ef8330 5 bytes JMP 0000000175167e71 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 0000000075f0a7e0 5 bytes JMP 0000000175167ae1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000075c72b50 5 bytes JMP 0000000175169929 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000075c95390 5 bytes JMP 0000000175164149 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000075c95b70 5 bytes JMP 00000001751621d1 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 0000000075d2e4f0 5 bytes JMP 0000000175167c11 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2892] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000075d2e640 5 bytes JMP 0000000175162ab9 .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf41861 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf42db1 11 bytes [B8, 79, D0, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf43461 11 bytes [B8, 39, D2, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 39, 2D, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, B9, 29, 2B, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, 79, 2B, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf48f20 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, 79, 4E, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, F9, FD, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, B9, CE, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf4ca31 11 bytes [B8, F9, CC, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf537d1 11 bytes [B8, F9, 4E, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, B9, EA, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefee7ae81 11 bytes [B8, 79, 47, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefee7aee1 11 bytes [B8, F9, 2E, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefee7e6e9 11 bytes [B8, B9, 4C, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefee8048d 11 bytes [B8, B9, 30, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefee80579 11 bytes [B8, B9, 45, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefee805b1 11 bytes [B8, 39, 49, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefee805f9 5 bytes [B8, F9, 4A, 2B, 75] .text ... * 2 .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefee94e21 11 bytes [B8, B9, 68, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefee95538 12 bytes [48, B8, B9, 6C, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeeab9c1 7 bytes [B8, 39, 34, 2B, 75, 00, 00] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeeab9ca 2 bytes [50, C3] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeeaba4c 12 bytes [48, B8, F9, 6A, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeeabbc0 12 bytes [48, B8, 79, 60, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeeabc2c 12 bytes [48, B8, B9, 5E, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2a642d 11 bytes [B8, 39, 5B, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2a6484 12 bytes [48, B8, F9, 55, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2a6519 11 bytes [B8, 39, 62, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2a6c34 12 bytes [48, B8, 39, 54, 2A, 75, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2a7ab5 11 bytes [B8, F9, 5C, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2a8b01 11 bytes [B8, B9, 57, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2a8c39 11 bytes [B8, 79, 59, 2A, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefdfeb031 11 bytes [B8, 79, 6A, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe004991 11 bytes [B8, B9, 3E, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe0049b1 11 bytes [B8, 79, 40, 2B, 75, 00, 00, ...] .text C:\Program Files\IDT\WDM\sttray64.exe[2992] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe019209 11 bytes [B8, F9, 43, 2B, 75, 00, 00, ...] .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000770af930 5 bytes JMP 00000001751676b9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000770af968 5 bytes JMP 0000000175168921 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770afa20 5 bytes JMP 0000000175165e61 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770afb68 5 bytes JMP 0000000175165871 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000770afbe8 5 bytes JMP 00000001751684f9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770afc60 5 bytes JMP 00000001751631d9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770afc90 5 bytes JMP 00000001751615f1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770afcc0 5 bytes JMP 0000000175161689 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770afcf0 5 bytes JMP 00000001751657d9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000770afe08 5 bytes JMP 0000000175168889 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770afe54 5 bytes JMP 00000001751630a9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770afe84 5 bytes JMP 0000000175163309 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000770aff00 5 bytes JMP 00000001751667e1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770aff64 5 bytes JMP 0000000175163271 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000770affb4 5 bytes JMP 0000000175167621 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000770affe4 5 bytes JMP 00000001751689b9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770b002c 5 bytes JMP 0000000175162ee1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770b0044 5 bytes JMP 0000000175162db1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770b00f4 5 bytes JMP 0000000175161ed9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770b0204 5 bytes JMP 0000000175162301 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770b07dc 5 bytes JMP 00000001751687f1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770b0854 5 bytes JMP 0000000175162e49 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770b08e4 5 bytes JMP 0000000175162d19 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770b0e34 5 bytes JMP 0000000175165ef9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000770b1100 5 bytes JMP 0000000175168461 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770b1644 5 bytes JMP 0000000175164ac9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770b1960 5 bytes JMP 0000000175163141 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770b1c24 5 bytes JMP 0000000175165f91 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770b1d94 5 bytes JMP 0000000175163439 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770b1db0 5 bytes JMP 00000001751633a1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000770b1dcc 5 bytes JMP 0000000175168a51 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770b1f28 5 bytes JMP 0000000175168629 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770c28e4 5 bytes JMP 0000000175161ab1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000770c8e61 5 bytes JMP 0000000175168591 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000770f0eab 5 bytes JMP 0000000175162009 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077138b7f 5 bytes JMP 0000000175164b61 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007713ee1b 5 bytes JMP 0000000175161f71 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075790e00 5 bytes JMP 0000000175161da9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075791072 5 bytes JMP 0000000175162a21 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007579498f 5 bytes JMP 00000001751625f9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757a3bab 5 bytes JMP 0000000175163011 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757a9aa4 5 bytes JMP 0000000175166749 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000757a9b05 5 bytes JMP 00000001751664e9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000757b7327 5 bytes JMP 0000000175162729 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000757b88da 5 bytes JMP 0000000175165dc9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000757bccb1 5 bytes JMP 00000001751663b9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757bccd1 5 bytes JMP 0000000175166619 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075813161 5 bytes JMP 00000001751628f1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007583759b 5 bytes JMP 00000001751646a1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000758375be 5 bytes JMP 00000001751647d1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075837969 5 bytes JMP 0000000175164901 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000758379e2 5 bytes JMP 0000000175164a31 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c48f8d 5 bytes JMP 0000000175161a19 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c4c436 5 bytes JMP 0000000175163b59 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076c4d0af 5 bytes JMP 0000000175166879 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c4eca6 5 bytes JMP 0000000175163601 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c4f206 5 bytes JMP 0000000175162399 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c4fa89 5 bytes JMP 0000000175161e41 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076c4fbb7 5 bytes JMP 0000000175166289 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c51358 5 bytes JMP 0000000175163ac1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c5137f 5 bytes JMP 0000000175163a29 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c51d29 5 bytes JMP 0000000175161981 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c51e15 5 bytes JMP 00000001751624c9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c52ab1 5 bytes JMP 00000001751659a1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c52cdf 5 bytes JMP 0000000175165909 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c52d1d 5 bytes JMP 0000000175165a39 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c52e80 5 bytes JMP 00000001751618e9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c53b76 5 bytes JMP 0000000175162269 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c5449c 5 bytes JMP 0000000175162431 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c5460e 5 bytes JMP 0000000175163569 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c54637 5 bytes JMP 0000000175162c81 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076c5a217 5 bytes JMP 00000001751677e9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076c5a426 5 bytes JMP 0000000175167881 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076c5a500 5 bytes JMP 0000000175167751 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c5c73a 5 bytes JMP 00000001751627c1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076c5e2a4 5 bytes JMP 00000001751683c9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000000023a472 5 bytes JMP 0000000075168ae9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000002427ce 5 bytes JMP 0000000075161be1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000000024e6cf 5 bytes JMP 0000000075161b49 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000755e78e2 5 bytes JMP 0000000175164441 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000755e7bd3 5 bytes JMP 00000001751643a9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000755e8a29 5 bytes JMP 0000000175164f89 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000755e98fd 1 byte JMP 0000000175165c01 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000755e98ff 3 bytes {JMP 0xffffffffffb7c304} .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000755eb6ed 5 bytes JMP 0000000175168b81 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000755ed22e 5 bytes JMP 0000000175165021 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755eee09 5 bytes JMP 00000001751634d1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000755effe6 5 bytes JMP 0000000175165ad1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000755f00d9 5 bytes JMP 0000000175165b69 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000755f05ba 5 bytes JMP 0000000175164571 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000755f0dfb 5 bytes JMP 00000001751650b9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000755f12a5 5 bytes JMP 0000000175168759 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000755f20ec 5 bytes JMP 0000000175165449 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000755f3baa 5 bytes JMP 00000001751686c1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 00000000755f4ab6 5 bytes JMP 0000000175167fa1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000755f5f74 5 bytes JMP 00000001751644d9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000755f6285 5 bytes JMP 0000000175164bf9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755f7603 5 bytes JMP 0000000175162be9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000755f7aee 5 bytes JMP 00000001751653b1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755f835c 5 bytes JMP 0000000175162b51 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007560ce54 5 bytes JMP 00000001751651e9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007560f52b 5 bytes JMP 0000000175164c91 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007560f588 5 bytes JMP 0000000175165c99 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756110a0 5 bytes JMP 0000000175165151 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007563fcd6 2 bytes JMP 0000000175165281 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007563fcd9 2 bytes [B2, FF] .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007563fcfa 5 bytes JMP 0000000175165319 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 00000000752f633b 5 bytes JMP 0000000175168c19 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007531868d 5 bytes JMP 0000000175167e71 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000753186ac 5 bytes JMP 0000000175167f09 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000753240e9 5 bytes JMP 0000000175168039 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000000518e89 5 bytes JMP 0000000075167a49 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000000519179 5 bytes JMP 0000000075167919 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000000519186 5 bytes JMP 0000000075168169 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000000051c4d2 5 bytes JMP 0000000075168331 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000000051c9ec 5 bytes JMP 0000000075163c89 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000000051deb4 5 bytes JMP 00000000751679b1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000000051ded6 5 bytes JMP 0000000075168299 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000000051deee 5 bytes JMP 00000000751680d1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000000051df1e 5 bytes JMP 0000000075168201 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000000522b50 5 bytes JMP 0000000075163bf1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000005235fc 5 bytes JMP 00000000751640b1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000000052494d 5 bytes JMP 0000000075168cb1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 000000000053714c 5 bytes JMP 0000000075164311 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000000537164 5 bytes JMP 0000000075163e51 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000000053717c 5 bytes JMP 0000000075163ee9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000005377c3 5 bytes JMP 0000000075167ae1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000000553384 5 bytes JMP 0000000075163f81 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000000553394 5 bytes JMP 0000000075164019 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000005533a4 5 bytes JMP 0000000075163d21 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000005533b4 5 bytes JMP 0000000075163db9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000005533f4 5 bytes JMP 0000000075164279 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a33918 5 bytes JMP 0000000175165741 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075a33cd3 5 bytes JMP 00000001751656a9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!socket 0000000075a33eb8 5 bytes JMP 0000000175167b79 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a34406 5 bytes JMP 0000000175162139 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075a34889 5 bytes JMP 0000000175164dc1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a36b0e 5 bytes JMP 0000000175167d41 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a36bdd 1 byte JMP 00000001751641e1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075a36bdf 3 bytes {CALL RBP} .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!send 0000000075a36f01 5 bytes JMP 00000001751620a1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a37089 5 bytes JMP 0000000175167dd9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a3cc3f 5 bytes JMP 0000000175167ca9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000075a3d1ea 5 bytes JMP 0000000175164e59 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075a47673 5 bytes JMP 0000000175164ef1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000075c72b50 5 bytes JMP 0000000175168de1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000075c95390 5 bytes JMP 0000000175164149 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000075c95b70 5 bytes JMP 00000001751621d1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 0000000075d2e4f0 5 bytes JMP 0000000175167291 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000075d2e640 5 bytes JMP 0000000175162ab9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!HttpSendRequestExW 0000000075e15e10 5 bytes JMP 00000001751671f9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetWriteFile 0000000075e15f90 5 bytes JMP 0000000175166911 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 0000000075e2d480 5 bytes JMP 0000000175167589 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 0000000075e31310 5 bytes JMP 0000000175166f99 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000075e34040 5 bytes JMP 00000001751670c9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetConnectW 0000000075e34fa0 5 bytes JMP 0000000175166e69 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetReadFile 0000000075e3d510 5 bytes JMP 00000001751669a9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetOpenA 0000000075e67440 5 bytes JMP 0000000175166a41 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetOpenW 0000000075e679d0 5 bytes JMP 0000000175166ad9 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000075e8d780 5 bytes JMP 0000000175167031 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetConnectA 0000000075e937a0 5 bytes JMP 0000000175166dd1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!HttpOpenRequestA 0000000075e93830 5 bytes JMP 0000000175166f01 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetOpenUrlA 0000000075ee61e0 5 bytes JMP 0000000175166b71 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!InternetOpenUrlW 0000000075ee6d20 5 bytes JMP 0000000175166c09 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!FtpGetFileA 0000000075ef4c10 5 bytes JMP 0000000175167329 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!FtpOpenFileA 0000000075ef4fd0 5 bytes JMP 0000000175166ca1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!FtpPutFileA 0000000075ef5060 5 bytes JMP 0000000175167459 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!FtpGetFileW 0000000075ef8130 5 bytes JMP 00000001751673c1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!FtpOpenFileW 0000000075ef81d0 5 bytes JMP 0000000175166d39 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!FtpPutFileW 0000000075ef8330 5 bytes JMP 00000001751674f1 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\WININET.dll!HttpSendRequestExA 0000000075f0a7e0 5 bytes JMP 0000000175167161 .text C:\Users\Bubsky\AppData\Local\FluxSoftware\Flux\flux.exe[3012] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000076010199 5 bytes JMP 0000000175164d29 .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076ed85e1 11 bytes [B8, B9, 37, 2B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076ee6921 7 bytes [B8, 39, 69, 2A, 75, 00, 00] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076ee692a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076efda30 6 bytes [48, B8, B9, 45, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076efda38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076efdaa0 6 bytes [48, B8, 79, C2, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076efdaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076efdb70 6 bytes [48, B8, 39, AF, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076efdb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076efdbc0 6 bytes [48, B8, F9, 35, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076efdbc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076efdc10 6 bytes [48, B8, F9, 32, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076efdc18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076efdc30 6 bytes [48, B8, 39, 1C, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076efdc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076efdc50 6 bytes [48, B8, F9, 1D, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076efdc58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076efdc70 6 bytes [48, B8, 79, AD, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076efdc78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076efdd20 6 bytes [48, B8, F9, 43, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076efdd28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076efdd50 6 bytes [48, B8, 79, 2F, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076efdd58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076efdd70 6 bytes [48, B8, 79, 36, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076efdd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076efddc0 6 bytes [48, B8, 79, DE, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8 0000000076efddc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076efde00 6 bytes [48, B8, B9, 34, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076efde08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076efde30 6 bytes [48, B8, F9, 0B, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076efde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076efde50 6 bytes [48, B8, 79, 47, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076efde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076efde80 6 bytes [48, B8, 39, 2A, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076efde88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076efde90 6 bytes [48, B8, B9, 26, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076efde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076efdf00 6 bytes [48, B8, 39, E0, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076efdf08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076efdfb0 6 bytes [48, B8, F9, 4A, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076efdfb8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076efe380 6 bytes [48, B8, 39, 42, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076efe388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076efe3d0 6 bytes [48, B8, 79, 28, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076efe3d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076efe430 6 bytes [48, B8, F9, 24, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076efe438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076efe7a0 6 bytes [48, B8, 39, C4, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076efe7a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076efe970 6 bytes [48, B8, 39, 34, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076efe978 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076efece0 6 bytes [48, B8, 79, 83, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076efece8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076efeee0 6 bytes [48, B8, 39, 31, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076efeee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076eff0a0 6 bytes [48, B8, F9, C5, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076eff0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076eff180 6 bytes [48, B8, 79, 3D, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076eff188 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076eff190 6 bytes [48, B8, B9, 3B, 2A, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076eff198 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076eff1a0 6 bytes [48, B8, 39, 49, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076eff1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076eff280 6 bytes [48, B8, F9, 3C, 2B, 75] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076eff288 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f6f0c1 11 bytes [B8, 39, 85, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf41861 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf42db1 11 bytes [B8, 79, B4, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf43461 11 bytes [B8, 39, B6, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 39, 11, 2B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, B9, 0D, 2B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, 79, 0F, 2B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf48f20 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, 79, 32, 2B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, F9, E1, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, B9, B2, 2A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf4ca31 11 bytes [B8, F9, B0, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf537d1 11 bytes [B8, F9, 4E, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, B9, CE, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2a642d 11 bytes [B8, 39, 5B, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2a6484 12 bytes [48, B8, F9, 55, 2A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2a6519 11 bytes [B8, 39, 62, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2a6c34 12 bytes [48, B8, 39, 54, 2A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2a7ab5 11 bytes [B8, F9, 5C, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2a8b01 11 bytes [B8, B9, 57, 2A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3372] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2a8c39 11 bytes [B8, 79, 59, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000076ed85e1 11 bytes [B8, F9, 35, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076ee6921 7 bytes [B8, 39, 69, 2A, 75, 00, 00] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076ee692a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076efda30 6 bytes [48, B8, B9, 3E, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000076efda38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076efdaa0 6 bytes [48, B8, 79, C2, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076efdaa8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076efdb70 6 bytes [48, B8, 39, AF, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076efdb78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 0000000076efdbc0 6 bytes [48, B8, 39, 34, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8 0000000076efdbc8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076efdc10 6 bytes [48, B8, F9, 32, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076efdc18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076efdc30 6 bytes [48, B8, 39, 1C, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076efdc38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076efdc50 6 bytes [48, B8, F9, 1D, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076efdc58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076efdc70 6 bytes [48, B8, 79, AD, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076efdc78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076efdd20 6 bytes [48, B8, F9, 3C, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000076efdd28 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076efdd50 6 bytes [48, B8, 79, 2F, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076efdd58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076efdd70 6 bytes [48, B8, 79, 36, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076efdd78 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076efde00 6 bytes [48, B8, B9, 34, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076efde08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076efde30 6 bytes [48, B8, 39, 0A, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000076efde38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076efde50 6 bytes [48, B8, 79, 40, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000076efde58 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076efde80 6 bytes [48, B8, 39, 2A, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076efde88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076efde90 6 bytes [48, B8, B9, 26, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076efde98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076efdf00 6 bytes [48, B8, 79, DE, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076efdf08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076efdfb0 6 bytes [48, B8, F9, 43, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076efdfb8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076efe380 6 bytes [48, B8, 39, 3B, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000076efe388 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076efe3d0 6 bytes [48, B8, 79, 28, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076efe3d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076efe430 6 bytes [48, B8, F9, 24, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076efe438 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076efe7a0 6 bytes [48, B8, 39, C4, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076efe7a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076efe970 6 bytes [48, B8, 79, 32, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076efe978 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076efece0 6 bytes [48, B8, 79, 83, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076efece8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076efeee0 6 bytes [48, B8, 39, 31, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076efeee8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076eff0a0 6 bytes [48, B8, F9, C5, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076eff0a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076eff180 6 bytes [48, B8, 79, 3D, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076eff188 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076eff190 6 bytes [48, B8, B9, 3B, 2A, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076eff198 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076eff1a0 6 bytes [48, B8, 39, 42, 2B, 75] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000076eff1a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076f6f0c1 11 bytes [B8, 39, 85, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcf41861 11 bytes [B8, 79, 52, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcf42db1 11 bytes [B8, 79, B4, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcf43461 11 bytes [B8, 39, B6, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcf450d1 11 bytes [B8, 79, 0F, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcf45370 12 bytes [48, B8, F9, 0B, 2B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcf45eb1 11 bytes [B8, B9, 0D, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcf48f20 12 bytes [48, B8, B9, 50, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcf497a1 11 bytes [B8, B9, 30, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1 000007fefcf4a0e1 11 bytes [B8, 39, E0, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf4aec0 12 bytes [48, B8, B9, B2, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcf4ca31 11 bytes [B8, F9, B0, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcf537d1 11 bytes [B8, F9, 4E, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcf74310 12 bytes [48, B8, B9, 42, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcf80bd1 11 bytes [B8, B9, CE, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcf82831 8 bytes [B8, 39, 23, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcf8283a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcf82871 11 bytes [B8, F9, 40, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd2a642d 11 bytes [B8, 39, 5B, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd2a6484 12 bytes [48, B8, F9, 55, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd2a6519 11 bytes [B8, 39, 62, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd2a6c34 12 bytes [48, B8, 39, 54, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd2a7ab5 11 bytes [B8, F9, 5C, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd2a8b01 11 bytes [B8, B9, 57, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd2a8c39 11 bytes [B8, 79, 59, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefdfeb031 11 bytes [B8, B9, 45, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe004991 11 bytes [B8, F9, 20, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe0049b1 11 bytes [B8, B9, 22, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe019209 11 bytes [B8, 39, 26, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007fefee7ae81 11 bytes [B8, B9, 29, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007fefee7aee1 11 bytes [B8, 39, 11, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007fefee7e6e9 11 bytes [B8, F9, 2E, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007fefee8048d 11 bytes [B8, F9, 12, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007fefee80579 11 bytes [B8, F9, 27, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007fefee805b1 11 bytes [B8, 79, 2B, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73 000007fefee805f9 5 bytes [B8, 39, 2D, 2B, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefee94e21 11 bytes [B8, 39, 49, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefee95538 12 bytes [48, B8, B9, 6C, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007fefeeab9c1 7 bytes [B8, 79, 16, 2B, 75, 00, 00] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007fefeeab9ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeeaba4c 12 bytes [48, B8, F9, 6A, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeeabbc0 12 bytes [48, B8, 79, 60, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeeabc2c 12 bytes [48, B8, B9, 5E, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefdd113b1 11 bytes [B8, B9, AB, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!closesocket 000007fefdd118e0 12 bytes [48, B8, F9, A9, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefdd11bd1 11 bytes [B8, 39, A8, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefdd12201 11 bytes [B8, 39, 1F, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefdd123c0 12 bytes [48, B8, 39, 8C, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!connect 000007fefdd145c0 12 bytes [48, B8, 79, 67, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdd18001 11 bytes [B8, 79, A6, 2A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefdd18df0 7 bytes [48, B8, B9, 8F, 2A, 75, 00] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefdd18df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefdd1c090 12 bytes [48, B8, F9, 8D, 2A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefdd1de91 11 bytes [B8, 39, 18, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefdd1df41 11 bytes [B8, 79, 1D, 2B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3552] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefdd3e0f1 11 bytes [B8, B9, 1B, 2B, 75, 00, 00, ...] .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000770af930 5 bytes JMP 00000001751676b9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000770af968 5 bytes JMP 0000000175168921 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770afa20 5 bytes JMP 0000000175165e61 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770afb68 5 bytes JMP 0000000175165871 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000770afbe8 5 bytes JMP 00000001751684f9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770afc60 5 bytes JMP 00000001751631d9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770afc90 5 bytes JMP 00000001751615f1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770afcc0 5 bytes JMP 0000000175161689 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770afcf0 5 bytes JMP 00000001751657d9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000770afe08 5 bytes JMP 0000000175168889 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770afe54 5 bytes JMP 00000001751630a9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770afe84 5 bytes JMP 0000000175163309 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000770aff00 5 bytes JMP 00000001751667e1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770aff64 5 bytes JMP 0000000175163271 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000770affb4 5 bytes JMP 0000000175167621 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000770affe4 5 bytes JMP 00000001751689b9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770b002c 5 bytes JMP 0000000175162ee1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770b0044 5 bytes JMP 0000000175162db1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770b00f4 5 bytes JMP 0000000175161ed9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770b0204 5 bytes JMP 0000000175162301 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770b07dc 5 bytes JMP 00000001751687f1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770b0854 5 bytes JMP 0000000175162e49 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770b08e4 5 bytes JMP 0000000175162d19 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770b0e34 5 bytes JMP 0000000175165ef9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000770b1100 5 bytes JMP 0000000175168461 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770b1644 5 bytes JMP 0000000175164ac9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770b1960 5 bytes JMP 0000000175163141 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770b1c24 5 bytes JMP 0000000175165f91 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770b1d94 5 bytes JMP 0000000175163439 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770b1db0 5 bytes JMP 00000001751633a1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000770b1dcc 5 bytes JMP 0000000175168a51 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770b1f28 5 bytes JMP 0000000175168629 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770c28e4 5 bytes JMP 0000000175161ab1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000770c8e61 5 bytes JMP 0000000175168591 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000770f0eab 5 bytes JMP 0000000175162009 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077138b7f 5 bytes JMP 0000000175164b61 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007713ee1b 5 bytes JMP 0000000175161f71 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075790e00 5 bytes JMP 0000000175161da9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075791072 5 bytes JMP 0000000175162a21 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007579498f 5 bytes JMP 00000001751625f9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757a3bab 5 bytes JMP 0000000175163011 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757a9aa4 5 bytes JMP 0000000175166749 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000757a9b05 5 bytes JMP 00000001751664e9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000757b7327 5 bytes JMP 0000000175162729 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000757b88da 5 bytes JMP 0000000175165dc9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000757bccb1 5 bytes JMP 00000001751663b9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757bccd1 5 bytes JMP 0000000175166619 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075813161 5 bytes JMP 00000001751628f1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007583759b 5 bytes JMP 00000001751646a1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000758375be 5 bytes JMP 00000001751647d1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075837969 5 bytes JMP 0000000175164901 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000758379e2 5 bytes JMP 0000000175164a31 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c48f8d 5 bytes JMP 0000000175161a19 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c4c436 5 bytes JMP 0000000175163b59 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl 0000000076c4d0af 5 bytes JMP 0000000175166879 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c4eca6 5 bytes JMP 0000000175163601 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c4f206 5 bytes JMP 0000000175162399 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c4fa89 5 bytes JMP 0000000175161e41 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000076c4fbb7 5 bytes JMP 0000000175166289 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c51358 5 bytes JMP 0000000175163ac1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c5137f 5 bytes JMP 0000000175163a29 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c51d29 5 bytes JMP 0000000175161981 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c51e15 5 bytes JMP 00000001751624c9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c52ab1 5 bytes JMP 00000001751659a1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c52cdf 5 bytes JMP 0000000175165909 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c52d1d 5 bytes JMP 0000000175165a39 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c52e80 5 bytes JMP 00000001751618e9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c53b76 5 bytes JMP 0000000175162269 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c5449c 5 bytes JMP 0000000175162431 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c5460e 5 bytes JMP 0000000175163569 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c54637 5 bytes JMP 0000000175162c81 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000076c5a217 5 bytes JMP 00000001751677e9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000076c5a426 5 bytes JMP 0000000175167881 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000076c5a500 5 bytes JMP 0000000175167751 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c5c73a 5 bytes JMP 00000001751627c1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000076c5e2a4 5 bytes JMP 00000001751683c9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000000238e89 5 bytes JMP 0000000075167a49 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000000239179 5 bytes JMP 0000000075167919 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000000239186 5 bytes JMP 0000000075168169 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000000023c4d2 5 bytes JMP 0000000075168331 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000000023c9ec 5 bytes JMP 0000000075163c89 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000000023deb4 5 bytes JMP 00000000751679b1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000000023ded6 5 bytes JMP 0000000075168299 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000000023deee 5 bytes JMP 00000000751680d1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000000023df1e 5 bytes JMP 0000000075168201 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000000242b50 5 bytes JMP 0000000075163bf1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000002435fc 5 bytes JMP 00000000751640b1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 000000000024494d 5 bytes JMP 0000000075168ae9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 000000000025714c 5 bytes JMP 0000000075164311 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000000257164 5 bytes JMP 0000000075163e51 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000000025717c 5 bytes JMP 0000000075163ee9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 00000000002577c3 5 bytes JMP 0000000075167ae1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000000273384 5 bytes JMP 0000000075163f81 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000000273394 5 bytes JMP 0000000075164019 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000002733a4 5 bytes JMP 0000000075163d21 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000002733b4 5 bytes JMP 0000000075163db9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000002733f4 5 bytes JMP 0000000075164279 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\msvcrt.dll!_lock + 41 00000000004ea472 5 bytes JMP 0000000075168b81 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000004f27ce 5 bytes JMP 0000000075161be1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000004fe6cf 5 bytes JMP 0000000075161b49 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 00000000752f633b 5 bytes JMP 0000000175168c19 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 000000007531868d 5 bytes JMP 0000000175167e71 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 00000000753186ac 5 bytes JMP 0000000175167f09 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\GDI32.dll!NamedEscape 00000000753240e9 5 bytes JMP 0000000175168039 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000755e78e2 5 bytes JMP 0000000175164441 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000755e7bd3 5 bytes JMP 00000001751643a9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000755e8a29 5 bytes JMP 0000000175164f89 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000755e98fd 1 byte JMP 0000000175165c01 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!FindWindowW + 2 00000000755e98ff 3 bytes {JMP 0xffffffffffb7c304} .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000755eb6ed 5 bytes JMP 0000000175168cb1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000755ed22e 5 bytes JMP 0000000175165021 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755eee09 5 bytes JMP 00000001751634d1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000755effe6 5 bytes JMP 0000000175165ad1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000755f00d9 5 bytes JMP 0000000175165b69 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000755f05ba 5 bytes JMP 0000000175164571 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000755f0dfb 5 bytes JMP 00000001751650b9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000755f12a5 5 bytes JMP 0000000175168759 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000755f20ec 5 bytes JMP 0000000175165449 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000755f3baa 5 bytes JMP 00000001751686c1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!SetWindowPlacement 00000000755f4ab6 5 bytes JMP 0000000175167fa1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000755f5f74 5 bytes JMP 00000001751644d9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000755f6285 5 bytes JMP 0000000175164bf9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755f7603 5 bytes JMP 0000000175162be9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000755f7aee 5 bytes JMP 00000001751653b1 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755f835c 5 bytes JMP 0000000175162b51 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007560ce54 5 bytes JMP 00000001751651e9 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007560f52b 5 bytes JMP 0000000175164c91 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007560f588 5 bytes JMP 0000000175165c99 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756110a0 5 bytes JMP 0000000175165151 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007563fcd6 2 bytes JMP 0000000175165281 .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007563fcd9 2 bytes [B2, FF] .text C:\Users\Bubsky\Downloads\1mwe55yp.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007563fcfa 5 bytes JMP 0000000175165319 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [444:2428] 000007fef7b620c0 Thread C:\Windows\System32\svchost.exe [444:2432] 000007fef7b626a8 Thread C:\Windows\System32\svchost.exe [444:2460] 000007fef7b629dc Thread C:\Windows\System32\svchost.exe [444:3128] 000007fef84944d0 Thread C:\Windows\System32\svchost.exe [444:3944] 000007fef86989b8 Thread C:\Windows\System32\svchost.exe [444:2464] 000007fef84ad700 Thread C:\Windows\system32\taskhost.exe [2528:2576] 000007fef76b2740 Thread C:\Windows\system32\taskhost.exe [2528:2588] 000007fefb141010 Thread C:\Windows\system32\taskhost.exe [2528:2624] 000007fef76a1f38 Thread C:\Windows\system32\taskhost.exe [2528:2712] 000007fefd1092c0 Thread C:\Windows\system32\taskhost.exe [2528:3092] 000007fef73e5170 Thread C:\Windows\system32\svchost.exe [3552:3588] 000007fef6785fd0 Thread C:\Windows\system32\svchost.exe [3552:3592] 000007fef67863ec Thread C:\Windows\system32\svchost.exe [3552:3348] 000007fef2928470 Thread C:\Windows\system32\svchost.exe [3552:3364] 000007fef2932418 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4244:4656] 0000000075897587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4244:4660] 000000006ab18aa6 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4244:4716] 00000000770cc557 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4244:2660] 00000000770e27c1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4244:4396] 00000000770e27c1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4244:1172] 00000000770e27c1 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4492:5072] 000007fefd660168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4492:4224] 000007fefa782ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4492:2900] 000007fef8625124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\aded5e82-b909-4619-9949-f5d71dac0bcb@ACSettingIndex 6 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList@MRUList a Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0xB0 0xB7 0x11 0x01 ... ---- Files - GMER 2.1 ---- File C:\FRST 0 bytes File C:\FRST\Hives 0 bytes File C:\FRST\Hives\BCD 32768 bytes File C:\FRST\Hives\default 249856 bytes File C:\FRST\Hives\ERDNT.CON 737 bytes File C:\FRST\Hives\ERDNT.EXE 163328 bytes executable File C:\FRST\Hives\ERDNT.INF 813 bytes File C:\FRST\Hives\ERDNTDOS.LOC 2815 bytes File C:\FRST\Hives\ERDNTWIN.LOC 3275 bytes File C:\FRST\Hives\sam 61440 bytes File C:\FRST\Hives\security 24576 bytes File C:\FRST\Hives\software 63844352 bytes File C:\FRST\Hives\system 15433728 bytes File C:\FRST\Hives\Users 0 bytes File C:\FRST\Hives\Users\00000001 0 bytes File C:\FRST\Hives\Users\00000001\ntuser.dat 1404928 bytes File C:\FRST\Hives\Users\00000002 0 bytes File C:\FRST\Hives\Users\00000002\UsrClass.dat 929792 bytes File C:\FRST\Logs 0 bytes File C:\FRST\Logs\Addition_06-11-2015_20-59-03.txt 21704 bytes File C:\FRST\Logs\FRST_06-11-2015_20-59-03.txt 73663 bytes File C:\FRST\Quarantine 0 bytes ---- EOF - GMER 2.1 ----