GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-25 23:43:25 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d PLEXTOR_PX-128M6S rev.1.08 119,24GB Running: Gmer.exe; Driver: C:\USERS\BAREK\APPDATA\LOCAL\TEMP\pwddrpob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2416] entry point in ".rdata" section 000000007345bb10 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007fffd46dcb61 11 bytes [B8, 34, 2E, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007fffd46dcde0 12 bytes [48, B8, 60, 2F, 11, 72, 2A, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007fffd46ddd91 11 bytes [B8, B8, 31, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007fffd46ddfb1 11 bytes [B8, F6, 2F, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007fffd46de231 11 bytes [B8, 4E, 32, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007fffd46dea01 11 bytes [B8, 8C, 30, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007fffd46deb50 12 bytes [48, B8, CA, 2E, 11, 72, 2A, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007fffd46df1e0 12 bytes [48, B8, 72, 2C, 11, 72, 2A, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007fffd46e0421 11 bytes [B8, DC, 2B, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007fffd46e1900 12 bytes [48, B8, 08, 2D, 11, 72, 2A, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007fffd46e5401 11 bytes [B8, 9E, 2D, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007fffd46e73a1 11 bytes [B8, 22, 31, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007fffd46e90c1 11 bytes [B8, 7C, 22, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, 16, 4D, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpOpenRequest 00007fffcd8a92e0 12 bytes [48, B8, AC, 4D, 11, 72, 2A, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpCloseHandle + 1 00007fffcd8b4421 11 bytes [B8, 42, 4E, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpConnect + 1 00007fffcd8c4681 11 bytes [B8, D8, 4E, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQueryEx + 1 00007fffd18c19f1 11 bytes [B8, C6, 51, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_UTF8 00007fffd18de9f0 12 bytes [48, B8, 30, 51, 11, 72, 2A, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_W 00007fffd18dea50 12 bytes [48, B8, 9A, 50, 11, 72, 2A, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007fffd18e7911 11 bytes [B8, 6E, 4F, 11, 72, 2A, 02, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3492] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_A 00007fffd1909510 12 bytes [48, B8, 04, 50, 11, 72, 2A, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW 00007fffd36a6aa0 12 bytes [48, B8, BC, 0F, 7F, D4, BA, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1 00007fffd36ac961 11 bytes [B8, D6, 13, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!FindClose + 1 00007fffd36ad221 11 bytes [B8, A0, 1C, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW 00007fffd36ad4b0 12 bytes [48, B8, 74, 1B, 7F, D4, BA, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!OpenThread 00007fffd36babc0 12 bytes [48, B8, E0, 09, 7F, D4, BA, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1 00007fffd36bac31 11 bytes [B8, 0A, 1C, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW + 1 00007fffd36bc191 11 bytes [B8, 38, 0C, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle + 1 00007fffd36bc441 11 bytes [B8, CE, 0C, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007fffd36bc610 12 bytes [48, B8, 40, 13, 7F, D4, BA, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1 00007fffd36bca61 11 bytes [B8, A2, 0B, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress + 1 00007fffd36d8141 11 bytes [B8, 6C, 14, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007fffd36dd040 12 bytes [48, B8, 9A, 04, 7F, D4, BA, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1 00007fffd36e3c51 8 bytes [B8, 86, 18, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10 00007fffd36e3c5a 2 bytes [50, C3] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1 00007fffd36e3c81 8 bytes [B8, B2, 19, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 10 00007fffd36e3c8a 2 bytes [50, C3] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1 00007fffd36ffaa1 11 bytes [B8, AA, 12, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1 00007fffd37008c1 11 bytes [B8, 0C, 0B, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1 00007fffd37108e1 11 bytes [B8, 5A, 17, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1 00007fffd3712e31 11 bytes [B8, 90, 0E, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1 00007fffd37509c1 11 bytes [B8, FA, 0D, 7F, D4, BA, 01, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA 00007fffd3751480 12 bytes [48, B8, 26, 0F, 7F, D4, BA, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread 00007fffd3765350 12 bytes [48, B8, AC, 01, 7F, D4, BA, ...] .text C:\WINDOWS\system32\sihost.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread 00007fffd37653a0 12 bytes [48, B8, 76, 0A, 7F, D4, BA, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007fffd689cec1 11 bytes [B8, 64, 0D, B0, 27, 4A, 02, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 00007fffd689d821 11 bytes [B8, DE, 1A, B0, 27, 4A, 02, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile 00007fffd68f4e40 12 bytes [48, B8, 24, 20, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007fffd68f4f20 12 bytes [48, B8, 98, 15, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007fffd68f50c0 12 bytes [48, B8, 14, 12, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffd68f5200 12 bytes [48, B8, 5C, 06, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffd68f5240 12 bytes [48, B8, 80, 00, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffd68f5280 12 bytes [48, B8, 16, 01, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007fffd68f52c0 12 bytes [48, B8, 7E, 11, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007fffd68f5420 12 bytes [48, B8, F8, 1E, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007fffd68f5480 12 bytes [48, B8, 30, 05, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007fffd68f54c0 12 bytes [48, B8, 88, 07, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007fffd68f5560 12 bytes [48, B8, 48, 1A, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007fffd68f55e0 12 bytes [48, B8, F2, 06, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007fffd68f5680 12 bytes [48, B8, BA, 20, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007fffd68f56e0 12 bytes [48, B8, 04, 04, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007fffd68f5700 12 bytes [48, B8, D8, 02, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fffd68f57e0 12 bytes [48, B8, 8E, 1F, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007fffd68f5930 12 bytes [48, B8, E6, 21, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007fffd68f6230 12 bytes [48, B8, 62, 1E, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007fffd68f62f0 12 bytes [48, B8, 6E, 03, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007fffd68f63b0 12 bytes [48, B8, 42, 02, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007fffd68f6c10 12 bytes [48, B8, 2E, 16, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError 00007fffd68f7730 12 bytes [48, B8, 52, 10, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007fffd68f7b70 12 bytes [48, B8, C6, 05, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007fffd68f7f50 12 bytes [48, B8, C4, 16, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007fffd68f8170 12 bytes [48, B8, 4A, 09, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007fffd68f8190 12 bytes [48, B8, B4, 08, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007fffd68f81b0 12 bytes [48, B8, 50, 21, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007fffd68f83d0 12 bytes [48, B8, CC, 1D, B0, 27, 4A, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlReportException + 1 00007fffd6920611 11 bytes [B8, E8, 10, B0, 27, 4A, 02, ...] .text C:\WINDOWS\system32\taskhostw.exe[3100] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, E2, 44, B0, 27, 4A, 02, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1 00007fffd67c5d71 11 bytes [B8, 6C, 14, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot 00007fffd67ce800 12 bytes [48, B8, 1E, 08, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1 00007fffd67e1391 8 bytes [B8, 26, 0F, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10 00007fffd67e139a 2 bytes [50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1 00007fffd67e1491 8 bytes [B8, 52, 10, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 10 00007fffd67e149a 2 bytes [50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!FindClose + 1 00007fffd36ad221 11 bytes [B8, D6, 13, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW 00007fffd36ad4b0 12 bytes [48, B8, AA, 12, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!OpenThread 00007fffd36babc0 12 bytes [48, B8, E0, 09, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1 00007fffd36bac31 11 bytes [B8, 40, 13, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress + 1 00007fffd36d8141 11 bytes [B8, 14, 12, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007fffd36dd040 12 bytes [48, B8, 9A, 04, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1 00007fffd36e3c51 8 bytes [B8, BC, 0F, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10 00007fffd36e3c5a 2 bytes [50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1 00007fffd36e3c81 8 bytes [B8, E8, 10, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 10 00007fffd36e3c8a 2 bytes [50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1 00007fffd37008c1 11 bytes [B8, 0C, 0B, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1 00007fffd37108e1 11 bytes [B8, 90, 0E, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread 00007fffd3765350 12 bytes [48, B8, AC, 01, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread 00007fffd37653a0 12 bytes [48, B8, 76, 0A, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1 00007fffd63728e1 8 bytes [B8, 74, 1C, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10 00007fffd63728ea 2 bytes [50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1 00007fffd637a8d1 11 bytes [B8, 86, 18, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrA 00007fffd637d740 12 bytes [48, B8, 8E, 20, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!GetWindowLongA 00007fffd637f770 12 bytes [48, B8, BA, 21, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!GetWindowLongW + 1 00007fffd637f881 11 bytes [B8, 50, 22, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!GetWindowLongPtrW + 1 00007fffd637faf1 11 bytes [B8, 24, 21, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 1 00007fffd6387221 11 bytes [B8, 12, 24, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA 00007fffd6387810 5 bytes [48, B8, E6, 22, 74] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SetWindowLongPtrA + 6 00007fffd6387816 6 bytes [00, 00, 00, 00, 50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1 00007fffd6389481 11 bytes [B8, 6A, 26, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1 00007fffd638cad1 2 bytes [B8, A8] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!GetMessageA + 4 00007fffd638cad4 8 bytes [74, 00, 00, 00, 00, 00, 50, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007fffd6391d50 12 bytes [48, B8, F8, 1F, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!GetMessageW 00007fffd6392df0 12 bytes [48, B8, 3E, 25, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1 00007fffd6393c61 5 bytes [B8, CC, 1E, 74, 00] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9 00007fffd6393c69 3 bytes [00, 50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1 00007fffd6395aa1 7 bytes [B8, 62, 1F, 74, 00, 00, 00] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9 00007fffd6395aa9 3 bytes [00, 50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1 00007fffd6395dd1 7 bytes [B8, 0A, 1D, 74, 00, 00, 00] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9 00007fffd6395dd9 3 bytes [00, 50, C3] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007fffd6396dd0 12 bytes [48, B8, A0, 1D, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1 00007fffd6397641 11 bytes [B8, D4, 25, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA + 1 00007fffd639d0c1 11 bytes [B8, 7C, 23, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1 00007fffd63f87a1 11 bytes [B8, 36, 1E, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007fffd60f2fc1 11 bytes [B8, C2, 28, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007fffd60f44d0 12 bytes [48, B8, 00, 27, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007fffd60f67e0 12 bytes [48, B8, 96, 27, 74, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007fffd60f6881 11 bytes [B8, B0, 2B, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007fffd60f7b51 11 bytes [B8, 58, 29, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007fffd61038b1 11 bytes [B8, 48, 1A, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007fffd6104d81 11 bytes [B8, 1A, 2B, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007fffd6109211 11 bytes [B8, 84, 2A, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007fffd6118ac1 11 bytes [B8, 2C, 28, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007fffd6119351 11 bytes [B8, EE, 29, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007fffd46e0421 11 bytes [B8, 4E, 33, 74, 00, 00, 00, ...] .text C:\WINDOWS\Explorer.EXE[4200] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007fffd46e90c1 11 bytes [B8, B8, 32, 74, 00, 00, 00, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW 00007fffd36a6aa0 12 bytes [48, B8, BC, 0F, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1 00007fffd36ac961 11 bytes [B8, D6, 13, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!FindClose + 1 00007fffd36ad221 11 bytes [B8, A0, 1C, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW 00007fffd36ad4b0 12 bytes [48, B8, 74, 1B, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!OpenThread 00007fffd36babc0 12 bytes [48, B8, E0, 09, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1 00007fffd36bac31 11 bytes [B8, 0A, 1C, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW + 1 00007fffd36bc191 11 bytes [B8, 38, 0C, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle + 1 00007fffd36bc441 11 bytes [B8, CE, 0C, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007fffd36bc610 12 bytes [48, B8, 40, 13, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1 00007fffd36bca61 11 bytes [B8, A2, 0B, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress + 1 00007fffd36d8141 11 bytes [B8, 6C, 14, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007fffd36dd040 12 bytes [48, B8, 9A, 04, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1 00007fffd36e3c51 8 bytes [B8, 86, 18, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10 00007fffd36e3c5a 2 bytes [50, C3] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1 00007fffd36e3c81 8 bytes [B8, B2, 19, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 10 00007fffd36e3c8a 2 bytes [50, C3] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1 00007fffd36ffaa1 11 bytes [B8, AA, 12, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1 00007fffd37008c1 11 bytes [B8, 0C, 0B, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1 00007fffd37108e1 11 bytes [B8, 5A, 17, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1 00007fffd3712e31 11 bytes [B8, 90, 0E, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1 00007fffd37509c1 11 bytes [B8, FA, 0D, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA 00007fffd3751480 12 bytes [48, B8, 26, 0F, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread 00007fffd3765350 12 bytes [48, B8, AC, 01, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread 00007fffd37653a0 12 bytes [48, B8, 76, 0A, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007fffd60f2fc1 11 bytes [B8, 00, 26, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007fffd60f44d0 12 bytes [48, B8, 3E, 24, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007fffd60f67e0 12 bytes [48, B8, D4, 24, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007fffd60f6881 11 bytes [B8, EE, 28, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007fffd60f7b51 11 bytes [B8, 96, 26, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007fffd61038b1 11 bytes [B8, 7C, 22, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007fffd6104d81 11 bytes [B8, 58, 28, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007fffd6109211 11 bytes [B8, C2, 27, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007fffd6118ac1 11 bytes [B8, 6A, 25, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007fffd6119351 11 bytes [B8, 2C, 27, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, E2, 44, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpOpenRequest 00007fffcd8a92e0 12 bytes [48, B8, 0E, 46, BF, 4B, 3E, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpCloseHandle + 1 00007fffcd8b4421 11 bytes [B8, A4, 46, BF, 4B, 3E, 02, ...] .text C:\Windows\System32\RuntimeBroker.exe[4264] C:\WINDOWS\SYSTEM32\WINHTTP.dll!WinHttpConnect + 1 00007fffcd8c4681 11 bytes [B8, 3A, 47, BF, 4B, 3E, 02, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4848] entry point in ".rdata" section 000000007345bb10 ? C:\WINDOWS\system32\apphelp.dll [4848] entry point in ".rdata" section 000000006d8e0380 .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, E2, 44, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007fffd46dcb61 11 bytes [B8, 66, 48, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007fffd46dcde0 12 bytes [48, B8, 92, 49, 07, 0F, C0, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007fffd46ddd91 11 bytes [B8, EA, 4B, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007fffd46ddfb1 11 bytes [B8, 28, 4A, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007fffd46de231 11 bytes [B8, 80, 4C, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007fffd46dea01 11 bytes [B8, BE, 4A, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007fffd46deb50 12 bytes [48, B8, FC, 48, 07, 0F, C0, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007fffd46df1e0 12 bytes [48, B8, A4, 46, 07, 0F, C0, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007fffd46e0421 11 bytes [B8, 0E, 46, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007fffd46e1900 12 bytes [48, B8, 3A, 47, 07, 0F, C0, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007fffd46e5401 11 bytes [B8, D0, 47, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007fffd46e73a1 11 bytes [B8, 54, 4B, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007fffd46e90c1 11 bytes [B8, 78, 45, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpOpenRequest 00007fffcd8a92e0 12 bytes [48, B8, AC, 4D, 07, 0F, C0, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpCloseHandle + 1 00007fffcd8b4421 11 bytes [B8, 42, 4E, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\SYSTEM32\winhttp.dll!WinHttpConnect + 1 00007fffcd8c4681 11 bytes [B8, D8, 4E, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\DNSAPI.dll!DnsQueryEx + 1 00007fffd18c19f1 11 bytes [B8, C6, 51, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_UTF8 00007fffd18de9f0 12 bytes [48, B8, 30, 51, 07, 0F, C0, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_W 00007fffd18dea50 12 bytes [48, B8, 9A, 50, 07, 0F, C0, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007fffd18e7911 11 bytes [B8, 6E, 4F, 07, 0F, C0, 01, ...] .text C:\WINDOWS\system32\DllHost.exe[1212] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_A 00007fffd1909510 12 bytes [48, B8, 04, 50, 07, 0F, C0, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, E2, 44, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007fffd46dcb61 11 bytes [B8, 66, 48, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007fffd46dcde0 12 bytes [48, B8, 92, 49, 6C, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007fffd46ddd91 11 bytes [B8, EA, 4B, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007fffd46ddfb1 11 bytes [B8, 28, 4A, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007fffd46de231 11 bytes [B8, 80, 4C, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007fffd46dea01 11 bytes [B8, BE, 4A, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007fffd46deb50 12 bytes [48, B8, FC, 48, 6C, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007fffd46df1e0 12 bytes [48, B8, A4, 46, 6C, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007fffd46e0421 11 bytes [B8, 0E, 46, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007fffd46e1900 12 bytes [48, B8, 3A, 47, 6C, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007fffd46e5401 11 bytes [B8, D0, 47, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007fffd46e73a1 11 bytes [B8, 54, 4B, 6C, 00, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007fffd46e90c1 11 bytes [B8, 78, 45, 6C, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, A4, 46, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9 00007fffc1ae6c30 12 bytes [48, B8, 3A, 47, 40, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007fffd46dcb61 11 bytes [B8, 16, 4D, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007fffd46dcde0 12 bytes [48, B8, 42, 4E, 40, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007fffd46ddd91 11 bytes [B8, 9A, 50, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007fffd46ddfb1 11 bytes [B8, D8, 4E, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007fffd46de231 11 bytes [B8, 30, 51, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007fffd46dea01 11 bytes [B8, 6E, 4F, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007fffd46deb50 12 bytes [48, B8, AC, 4D, 40, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007fffd46df1e0 12 bytes [48, B8, 54, 4B, 40, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007fffd46e0421 11 bytes [B8, BE, 4A, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007fffd46e1900 12 bytes [48, B8, EA, 4B, 40, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007fffd46e5401 11 bytes [B8, 80, 4C, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007fffd46e73a1 11 bytes [B8, 04, 50, 40, 00, 00, 00, ...] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[5960] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007fffd46e90c1 11 bytes [B8, 28, 4A, 40, 00, 00, 00, ...] ? C:\WINDOWS\SYSTEM32\apphelp.dll [5496] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5496] entry point in ".rdata" section 000000006e08c4c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5384] entry point in ".rdata" section 000000006e08c4c0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5384] entry point in ".rdata" section 000000007345bb10 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5384] entry point in ".rdata" section 000000006820bc40 ? C:\WINDOWS\SYSTEM32\PhotoMetadataHandler.dll [5384] entry point in ".rdata" section 000000006e225fc0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [5384] entry point in ".rdata" section 000000006ee42a90 ? C:\WINDOWS\system32\apphelp.dll [3132] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [764] entry point in ".rdata" section 000000006e08c4c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6212] entry point in ".rdata" section 000000006e08c4c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1440] entry point in ".rdata" section 000000006e08c4c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1160] entry point in ".rdata" section 000000006e08c4c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7204] entry point in ".rdata" section 0000000071588fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7204] entry point in ".rdata" section 000000006e08c4c0 .text C:\Windows\System32\SystemSettingsBroker.exe[7544] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, E2, 44, 12, 5E, 69, 02, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007fffd689cec1 11 bytes [B8, 64, 0D, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetEnvironmentVariable + 1 00007fffd689d821 11 bytes [B8, DE, 1A, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteFile 00007fffd68f4e40 12 bytes [48, B8, 24, 20, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007fffd68f4f20 12 bytes [48, B8, 98, 15, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007fffd68f50c0 12 bytes [48, B8, 14, 12, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffd68f5200 12 bytes [48, B8, 5C, 06, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffd68f5240 12 bytes [48, B8, 80, 00, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffd68f5280 12 bytes [48, B8, 16, 01, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007fffd68f52c0 12 bytes [48, B8, 7E, 11, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007fffd68f5420 12 bytes [48, B8, F8, 1E, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007fffd68f5480 12 bytes [48, B8, 30, 05, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007fffd68f54c0 12 bytes [48, B8, 88, 07, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007fffd68f5560 12 bytes [48, B8, 48, 1A, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007fffd68f55e0 12 bytes [48, B8, F2, 06, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007fffd68f5680 12 bytes [48, B8, BA, 20, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007fffd68f56e0 12 bytes [48, B8, 04, 04, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007fffd68f5700 12 bytes [48, B8, D8, 02, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fffd68f57e0 12 bytes [48, B8, 8E, 1F, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetValueKey 00007fffd68f5930 12 bytes [48, B8, E6, 21, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007fffd68f6230 12 bytes [48, B8, 62, 1E, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateProcess 00007fffd68f62f0 12 bytes [48, B8, 6E, 03, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007fffd68f63b0 12 bytes [48, B8, 42, 02, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007fffd68f6c10 12 bytes [48, B8, 2E, 16, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError 00007fffd68f7730 5 bytes [48, B8, 52, 10, F8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtRaiseHardError + 6 00007fffd68f7736 6 bytes [D2, 01, 00, 00, 50, C3] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007fffd68f7b70 5 bytes [48, B8, C6, 05, F8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread + 6 00007fffd68f7b76 6 bytes [D2, 01, 00, 00, 50, C3] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007fffd68f7f50 5 bytes [48, B8, C4, 16, F8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation + 6 00007fffd68f7f56 6 bytes [D2, 01, 00, 00, 50, C3] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007fffd68f8170 5 bytes [48, B8, 4A, 09, F8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess + 6 00007fffd68f8176 6 bytes [D2, 01, 00, 00, 50, C3] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007fffd68f8190 5 bytes [48, B8, B4, 08, F8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread + 6 00007fffd68f8196 6 bytes [D2, 01, 00, 00, 50, C3] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007fffd68f81b0 5 bytes [48, B8, 50, 21, F8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl + 6 00007fffd68f81b6 6 bytes [D2, 01, 00, 00, 50, C3] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007fffd68f83d0 5 bytes [48, B8, CC, 1D, F8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 6 00007fffd68f83d6 6 bytes [D2, 01, 00, 00, 50, C3] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlReportException + 1 00007fffd6920611 11 bytes [B8, E8, 10, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007fffd46dcb61 11 bytes [B8, 92, 49, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007fffd46dcde0 12 bytes [48, B8, BE, 4A, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007fffd46ddd91 11 bytes [B8, 16, 4D, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007fffd46ddfb1 11 bytes [B8, 54, 4B, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007fffd46de231 11 bytes [B8, AC, 4D, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007fffd46dea01 11 bytes [B8, EA, 4B, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007fffd46deb50 12 bytes [48, B8, 28, 4A, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007fffd46df1e0 12 bytes [48, B8, D0, 47, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007fffd46e0421 11 bytes [B8, 3A, 47, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007fffd46e1900 12 bytes [48, B8, 66, 48, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007fffd46e5401 11 bytes [B8, FC, 48, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007fffd46e73a1 11 bytes [B8, 80, 4C, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007fffd46e90c1 2 bytes [B8, D4] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\WS2_32.dll!WEP + 276 00007fffd46e90c4 8 bytes [F8, 01, D2, 01, 00, 00, 50, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, A4, 46, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQueryEx + 1 00007fffd18c19f1 11 bytes [B8, 9A, 50, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_UTF8 00007fffd18de9f0 12 bytes [48, B8, 04, 50, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_W 00007fffd18dea50 12 bytes [48, B8, 6E, 4F, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsDhcpRegisterAddrs + 433 00007fffd18e7911 11 bytes [B8, 96, 26, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_A 00007fffd1909510 12 bytes [48, B8, D8, 4E, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory2 + 1 00007fffd0455611 11 bytes [B8, F2, 52, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory + 1 00007fffd0455851 11 bytes [B8, C6, 51, F8, 01, D2, 01, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 + 1 00007fffd04559b1 1 byte [B8] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 + 3 00007fffd04559b3 9 bytes [52, F8, 01, D2, 01, 00, 00, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fffc4cfcc60 12 bytes [48, B8, B4, 54, F8, 01, D2, ...] .text D:\TeamSpeak\ts3client_win64.exe[7984] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW + 1 00007fffc4d0cac1 11 bytes [B8, 1E, 54, F8, 01, D2, 01, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!send + 1 00007fffd46dcb61 11 bytes [B8, B0, 2A, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!closesocket 00007fffd46dcde0 12 bytes [48, B8, DC, 2B, 45, FB, 46, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!recv + 1 00007fffd46ddd91 11 bytes [B8, 34, 2E, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1 00007fffd46ddfb1 11 bytes [B8, 72, 2C, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1 00007fffd46de231 11 bytes [B8, CA, 2E, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!socket + 1 00007fffd46dea01 11 bytes [B8, 08, 2D, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!WSASocketW 00007fffd46deb50 12 bytes [48, B8, 46, 2B, 45, FB, 46, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW 00007fffd46df1e0 12 bytes [48, B8, EE, 28, 45, FB, 46, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007fffd46e0421 11 bytes [B8, 58, 28, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW 00007fffd46e1900 12 bytes [48, B8, 84, 29, 45, FB, 46, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1 00007fffd46e5401 11 bytes [B8, 1A, 2A, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1 00007fffd46e73a1 11 bytes [B8, 9E, 2D, 45, FB, 46, 02, ...] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4516] C:\WINDOWS\system32\WS2_32.dll!WEP + 273 00007fffd46e90c1 11 bytes [B8, E6, 21, 45, FB, 46, 02, ...] .text C:\Windows\System32\InstallAgent.exe[7396] C:\Windows\System32\WINHTTP.dll!WinHttpOpenRequest 00007fffcd8a92e0 12 bytes [48, B8, DA, 3D, 68, 08, 6D, ...] .text C:\Windows\System32\InstallAgent.exe[7396] C:\Windows\System32\WINHTTP.dll!WinHttpCloseHandle + 1 00007fffcd8b4421 11 bytes [B8, 70, 3E, 68, 08, 6D, 01, ...] .text C:\Windows\System32\InstallAgent.exe[7396] C:\Windows\System32\WINHTTP.dll!WinHttpConnect + 1 00007fffcd8c4681 11 bytes [B8, 06, 3F, 68, 08, 6D, 01, ...] ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7576] entry point in ".rdata" section 0000000071588fa0 ? C:\WINDOWS\SYSTEM32\apphelp.dll [7576] entry point in ".rdata" section 000000006d8e0380 ? C:\Windows\SYSTEM32\iertutil.dll [7576] entry point in ".rdata" section 000000006e08c4c0 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[1416] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007fffd4c214b1 11 bytes [B8, E2, 44, 92, 00, 26, 02, ...] ? C:\WINDOWS\system32\apphelp.dll [3976] entry point in ".rdata" section 000000006d8e0380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [3976] entry point in ".rdata" section 000000006820bc40 ? C:\WINDOWS\system32\apphelp.dll [3720] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [596] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [9196] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [1552] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [2224] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [5424] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [6672] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [4392] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [2064] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [1680] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [8444] entry point in ".rdata" section 000000006d8e0380 ? C:\WINDOWS\system32\apphelp.dll [9180] entry point in ".rdata" section 000000006d8e0380 .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1 00007fffd67c5d71 11 bytes [B8, 6C, 14, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot 00007fffd67ce800 12 bytes [48, B8, 1E, 08, DD, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1 00007fffd67e1391 8 bytes [B8, 26, 0F, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10 00007fffd67e139a 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1 00007fffd67e1491 8 bytes [B8, 52, 10, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 10 00007fffd67e149a 2 bytes [50, C3] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!ControlServiceExW + 1 00007fffd60f2fc1 11 bytes [B8, C2, 28, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!OpenServiceA 00007fffd60f44d0 12 bytes [48, B8, 00, 27, DD, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!OpenServiceW 00007fffd60f67e0 12 bytes [48, B8, 96, 27, DD, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!CloseServiceHandle + 1 00007fffd60f6881 11 bytes [B8, B0, 2B, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!ControlService + 1 00007fffd60f7b51 11 bytes [B8, 58, 29, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!CapabilityCheck + 673 00007fffd61038b1 11 bytes [B8, 48, 1A, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigW + 1 00007fffd6104d81 11 bytes [B8, 1A, 2B, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!ChangeServiceConfigA + 1 00007fffd6109211 11 bytes [B8, 84, 2A, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!ControlServiceExA + 1 00007fffd6118ac1 11 bytes [B8, 2C, 28, DD, 00, 00, 00, ...] .text C:\WINDOWS\explorer.exe[8344] C:\WINDOWS\system32\sechost.dll!DeleteService + 1 00007fffd6119351 11 bytes [B8, EE, 29, DD, 00, 00, 00, ...] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [672:5092] fffff961c5124060 Thread C:\WINDOWS\Explorer.EXE [4200:5500] 00007fffb7540250 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:4632] 00007fffd40a7c30 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:4640] 00007fffd3948ee0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:4664] 00007fffc74eaf10 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:4672] 00007fffc89fe200 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:4836] 00007fffc705fc00 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:1964] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:4940] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:3012] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:1120] 00007fffb9049dd0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:5008] 00007fffb902d310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:4988] 00007fffb90a1c20 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:1072] 00007fffb903b4b0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:1124] 00007fffca20cf00 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:5080] 00007fffb90a1c20 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:3188] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:5124] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:5128] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:5136] 00007fffb909e100 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:6012] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:6016] 00007fffd499b0f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:7476] 00007fffce5da5e4 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:6408] 00007fffd40a7c30 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:7064] 00007fffd3949fe0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [4596:5392] 00007fffc7286620 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----