Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-01-2015
Ran by Administrator at 2015-01-11 13:48:42
Running from C:\Users\Daniel\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Bitdefender Antivirus (Enabled - Up to date) {9A0813D8-CED6-F86B-072E-28D2AF25A83D}
AS: Bitdefender Spyware-Schutz (Enabled - Up to date) {2169F23C-E8EC-F7E5-3D9E-13A0D4A2E280}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bitdefender Firewall (Enabled) {A23392FD-84B9-F933-2C71-81E751F6EF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
AMD Catalyst Install Manager (HKLM\...\{37FCE154-7F59-74F0-3A35-BF503CEB230B}) (Version: 8.0.877.0 - Advanced Micro Devices, Inc.)
Bitdefender Total Security 2015 (HKLM\...\Bitdefender) (Version: 18.19.0.1369 - Bitdefender)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Nmap 5.20 (HKLM-x32\...\Nmap) (Version: - )
WinPcap 4.1.1 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.1753 - CACE Technologies)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
==================== Restore Points =========================
10-01-2015 22:07:54 Windows Update
11-01-2015 20:19:46 Windows Update
11-01-2015 20:36:36 Windows Update
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
==================== Loaded Modules (whitelisted) =============
2015-01-11 20:21 - 2014-08-27 16:31 - 00265080 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\txmlutil.dll
2015-01-11 20:21 - 2013-09-03 14:29 - 00101328 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdmetrics.dll
2015-01-11 20:21 - 2014-11-19 20:28 - 00003072 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\UI\accessl.ui
2015-01-11 20:21 - 2012-10-29 14:22 - 00152816 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdfwcore.dll
2015-01-11 20:21 - 2014-07-24 09:44 - 00780592 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_001_001\ashttpbr.mdl
2015-01-11 20:21 - 2014-07-24 09:44 - 00568400 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_001_001\ashttpdsp.mdl
2015-01-11 20:21 - 2014-07-24 09:44 - 02602680 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_001_001\ashttpph.mdl
2015-01-11 20:21 - 2014-07-24 09:44 - 01323408 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_001_001\ashttprbl.mdl
2015-01-11 13:43 - 2015-01-11 13:43 - 00050477 _____ () C:\Users\Daniel\Downloads\Defogger.exe
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
AlternateDataStreams: C:\Users\Daniel\Downloads\autodetectutility.exe:BDU
AlternateDataStreams: C:\Users\Daniel\Downloads\Defogger.exe:BDU
AlternateDataStreams: C:\Users\Daniel\Downloads\FRST64.exe:BDU
AlternateDataStreams: C:\Users\Daniel\Downloads\nmap-5.20-setup.exe:BDU
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
========================= Accounts: ==========================
Administrator (S-1-5-21-2042451591-645076460-3267669818-500 - Administrator - Enabled) => C:\Users\Administrator
Gast (S-1-5-21-2042451591-645076460-3267669818-501 - Limited - Disabled)
Zer0.Byt3 (S-1-5-21-2042451591-645076460-3267669818-1000 - Limited - Enabled) => C:\Users\Daniel
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (01/11/2015 00:28:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/11/2015 00:26:46 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error
Error: (01/10/2015 02:16:56 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/10/2015 10:57:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm AutoDetectUtilApp.exe, Version 1.0.0.2 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 318
Startzeit: 01d02d1fe6040c0c
Endzeit: 0
Anwendungspfad: C:\Users\ADMINI~1\AppData\Local\Temp\AutoDetectUtilApp.exe
Berichts-ID: aa399995-9913-11e4-867e-00248c66e588
Error: (01/10/2015 10:55:27 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error
Error: (01/10/2015 10:24:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/10/2015 10:22:53 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error
Error: (01/10/2015 09:55:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/11/2015 09:36:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: mscorsvw.exe, Version: 2.0.50727.5483, Zeitstempel: 0x4a275ab4
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x749171fc
ID des fehlerhaften Prozesses: 0x910
Startzeit der fehlerhaften Anwendung: 0xmscorsvw.exe0
Pfad der fehlerhaften Anwendung: mscorsvw.exe1
Pfad des fehlerhaften Moduls: mscorsvw.exe2
Berichtskennung: mscorsvw.exe3
Error: (01/11/2015 08:36:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
System errors:
=============
Error: (01/11/2015 01:48:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:48:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:48:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:47:28 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:47:28 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:47:26 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:47:26 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:47:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:47:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Error: (01/11/2015 01:47:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Diagnosediensthost" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1297
Microsoft Office Sessions:
=========================
Error: (01/11/2015 00:28:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/11/2015 00:26:46 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description:
Error: (01/10/2015 02:16:56 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/10/2015 10:57:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: AutoDetectUtilApp.exe1.0.0.231801d02d1fe6040c0c0C:\Users\ADMINI~1\AppData\Local\Temp\AutoDetectUtilApp.exeaa399995-9913-11e4-867e-00248c66e588
Error: (01/10/2015 10:55:27 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description:
Error: (01/10/2015 10:24:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/10/2015 10:22:53 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description:
Error: (01/10/2015 09:55:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/11/2015 09:36:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: mscorsvw.exe2.0.50727.54834a275ab4unknown0.0.0.000000000c0000005749171fc91001d02dd60115b3c6C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeunknown8df90785-99d1-11e4-a152-00248c66e588
Error: (01/11/2015 08:36:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabEin erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
CodeIntegrity Errors:
===================================
Date: 2015-01-11 12:26:41.414
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\drivers\atikmdag.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2015-01-11 12:26:41.320
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\drivers\atikmdag.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2015-01-10 22:22:34.804
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\drivers\atikmdag.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2015-01-10 22:22:34.694
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\drivers\atikmdag.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2015-01-10 22:11:15.781
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\drivers\atikmdag.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2015-01-10 22:11:15.719
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\drivers\atikmdag.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
==================== Memory info ===========================
Processor: Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz
Percentage of memory in use: 33%
Total physical RAM: 4095.11 MB
Available physical RAM: 2707.03 MB
Total Pagefile: 8188.41 MB
Available Pagefile: 6729.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
==================== Drives ================================
Drive c: (SSD) (Fixed) (Total:119.14 GB) (Free:92.25 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119.2 GB) (Disk ID: F9FAB0CC)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=119.1 GB) - (Type=07 NTFS)
==================== End Of Log ============================
--- --- --- Code:
NtSetContextThread + 8 00000000770f27e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770f29a0 6 bytes [48, B8, B9, C0, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000770f29a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770f2a80 6 bytes [48, B8, 79, 3D, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000770f2a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770f2a90 6 bytes [48, B8, B9, 3B, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000770f2a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770f2b80 6 bytes [48, B8, 79, E5, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000770f2b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077163201 11 bytes [B8, 39, 85, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076e81b21 11 bytes [B8, 79, BB, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076e81c10 12 bytes [48, B8, F9, 39, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076e82b61 8 bytes [B8, 79, D0, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076e82b6a 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e9db80 12 bytes [48, B8, B9, 2D, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ea0931 11 bytes [B8, B9, E3, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076ed52f1 11 bytes [B8, B9, 7A, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076ed5311 11 bytes [B8, 39, 77, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076eea5e0 12 bytes [48, B8, B9, 81, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076eea6f0 12 bytes [48, B8, 39, 7E, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076f0f491 11 bytes [B8, 79, D7, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076f0f691 11 bytes [B8, F9, D3, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076f0f6c1 8 bytes [B8, F9, CC, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076f0f6ca 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefce81861 11 bytes [B8, 79, 52, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefce82db1 11 bytes [B8, 39, AF, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefce83461 11 bytes [B8, F9, B0, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce88ef0 12 bytes [48, B8, 79, AD, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefce894c0 12 bytes [48, B8, B9, 50, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefce8bfd1 11 bytes [B8, B9, AB, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefce92af1 11 bytes [B8, F9, 4E, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefceb4350 12 bytes [48, B8, B9, 42, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcec0c11 11 bytes [B8, 79, C9, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcec2871 8 bytes [B8, 39, 23, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcec287a 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcec28b1 11 bytes [B8, F9, 40, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff25642d 11 bytes [B8, 39, 5B, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff256484 12 bytes [48, B8, F9, 55, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff256519 11 bytes [B8, 39, 62, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff256c34 12 bytes [48, B8, 39, 54, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff257ab5 11 bytes [B8, F9, 5C, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff258b01 11 bytes [B8, B9, 57, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff258c39 11 bytes [B8, 79, 59, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefedf4ea1 11 bytes [B8, 79, EC, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefedf55c8 12 bytes [48, B8, B9, 6C, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefee0b85c 12 bytes [48, B8, F9, 6A, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefee0b9d0 12 bytes [48, B8, 79, 60, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefee0ba3c 12 bytes [48, B8, B9, 5E, 94, 75, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770d92d1 5 bytes [B8, F9, 55, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000770d92d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770f1470 6 bytes [48, B8, F9, 5C, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000770f1478 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770f1510 6 bytes [48, B8, F9, 32, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770f1518 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770f1530 6 bytes [48, B8, 39, 1C, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770f1538 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770f1550 6 bytes [48, B8, F9, 1D, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770f1558 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770f1570 6 bytes [48, B8, 39, 5B, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000770f1578 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770f1650 6 bytes [48, B8, 79, 2F, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000770f1658 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770f1670 6 bytes [48, B8, 79, 36, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000770f1678 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770f1700 6 bytes [48, B8, B9, 34, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000770f1708 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770f1780 6 bytes [48, B8, 39, 2A, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000770f1788 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770f1790 6 bytes [48, B8, B9, 26, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000770f1798 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770f1cd0 6 bytes [48, B8, 79, 28, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000770f1cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770f1d30 6 bytes [48, B8, F9, 24, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000770f1d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770f20a0 6 bytes [48, B8, B9, 5E, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000770f20a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770f27e0 6 bytes [48, B8, 39, 31, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000770f27e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770f29a0 6 bytes [48, B8, 79, 60, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000770f29a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770f2a80 6 bytes [48, B8, 79, 3D, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000770f2a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770f2a90 6 bytes [48, B8, B9, 3B, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000770f2a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770f2b80 6 bytes [48, B8, 79, 75, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000770f2b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076e81c10 12 bytes [48, B8, F9, 39, 94, 75, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076e82b61 8 bytes [B8, 39, 69, 94, 75, 00, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076e82b6a 2 bytes [50, C3]
Code:
NtSetContextThread + 8 00000000770f27e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770f29a0 6 bytes [48, B8, B9, C0, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000770f29a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770f2a80 6 bytes [48, B8, 79, 3D, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000770f2a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770f2a90 6 bytes [48, B8, B9, 3B, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000770f2a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770f2b80 6 bytes [48, B8, 79, E5, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000770f2b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077163201 11 bytes [B8, 39, 85, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076e81b21 11 bytes [B8, 79, BB, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076e81c10 12 bytes [48, B8, F9, 39, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076e82b61 8 bytes [B8, 79, D0, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076e82b6a 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e9db80 12 bytes [48, B8, B9, 2D, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ea0931 11 bytes [B8, B9, E3, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076ed52f1 11 bytes [B8, B9, 7A, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076ed5311 11 bytes [B8, 39, 77, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076eea5e0 12 bytes [48, B8, B9, 81, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076eea6f0 12 bytes [48, B8, 39, 7E, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076f0f491 11 bytes [B8, 79, D7, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076f0f691 11 bytes [B8, F9, D3, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076f0f6c1 8 bytes [B8, F9, CC, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076f0f6ca 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefce81861 11 bytes [B8, 79, 52, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefce82db1 11 bytes [B8, 39, AF, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefce83461 11 bytes [B8, F9, B0, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce88ef0 12 bytes [48, B8, 79, AD, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefce894c0 12 bytes [48, B8, B9, 50, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefce8bfd1 11 bytes [B8, B9, AB, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefce92af1 11 bytes [B8, F9, 4E, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefceb4350 12 bytes [48, B8, B9, 42, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcec0c11 11 bytes [B8, 79, C9, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcec2871 8 bytes [B8, 39, 23, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcec287a 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcec28b1 11 bytes [B8, F9, 40, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff25642d 11 bytes [B8, 39, 5B, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff256484 12 bytes [48, B8, F9, 55, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff256519 11 bytes [B8, 39, 62, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff256c34 12 bytes [48, B8, 39, 54, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff257ab5 11 bytes [B8, F9, 5C, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff258b01 11 bytes [B8, B9, 57, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff258c39 11 bytes [B8, 79, 59, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefedf4ea1 11 bytes [B8, 79, EC, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefedf55c8 12 bytes [48, B8, B9, 6C, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefee0b85c 12 bytes [48, B8, F9, 6A, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefee0b9d0 12 bytes [48, B8, 79, 60, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefee0ba3c 12 bytes [48, B8, B9, 5E, 94, 75, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770d92d1 5 bytes [B8, F9, 55, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000770d92d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770f1470 6 bytes [48, B8, F9, 5C, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000770f1478 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770f1510 6 bytes [48, B8, F9, 32, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770f1518 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770f1530 6 bytes [48, B8, 39, 1C, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770f1538 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770f1550 6 bytes [48, B8, F9, 1D, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770f1558 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770f1570 6 bytes [48, B8, 39, 5B, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000770f1578 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770f1650 6 bytes [48, B8, 79, 2F, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000770f1658 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770f1670 6 bytes [48, B8, 79, 36, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000770f1678 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770f1700 6 bytes [48, B8, B9, 34, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000770f1708 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770f1780 6 bytes [48, B8, 39, 2A, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000770f1788 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770f1790 6 bytes [48, B8, B9, 26, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000770f1798 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770f1cd0 6 bytes [48, B8, 79, 28, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000770f1cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770f1d30 6 bytes [48, B8, F9, 24, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000770f1d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770f20a0 6 bytes [48, B8, B9, 5E, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000770f20a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770f27e0 6 bytes [48, B8, 39, 31, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000770f27e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770f29a0 6 bytes [48, B8, 79, 60, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000770f29a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770f2a80 6 bytes [48, B8, 79, 3D, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000770f2a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770f2a90 6 bytes [48, B8, B9, 3B, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000770f2a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770f2b80 6 bytes [48, B8, 79, 75, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000770f2b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076e81c10 12 bytes [48, B8, F9, 39, 94, 75, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076e82b61 8 bytes [B8, 39, 69, 94, 75, 00, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076e82b6a 2 bytes [50, C3]
Code:
NtSetContextThread + 8 00000000770f27e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770f29a0 6 bytes [48, B8, B9, C0, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000770f29a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770f2a80 6 bytes [48, B8, 79, 3D, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000770f2a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770f2a90 6 bytes [48, B8, B9, 3B, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000770f2a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770f2b80 6 bytes [48, B8, 79, E5, 94, 75]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000770f2b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000077163201 11 bytes [B8, 39, 85, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076e81b21 11 bytes [B8, 79, BB, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076e81c10 12 bytes [48, B8, F9, 39, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076e82b61 8 bytes [B8, 79, D0, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076e82b6a 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e9db80 12 bytes [48, B8, B9, 2D, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ea0931 11 bytes [B8, B9, E3, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076ed52f1 11 bytes [B8, B9, 7A, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076ed5311 11 bytes [B8, 39, 77, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076eea5e0 12 bytes [48, B8, B9, 81, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076eea6f0 12 bytes [48, B8, 39, 7E, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 0000000076f0f491 11 bytes [B8, 79, D7, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 0000000076f0f691 11 bytes [B8, F9, D3, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 0000000076f0f6c1 8 bytes [B8, F9, CC, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 0000000076f0f6ca 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefce81861 11 bytes [B8, 79, 52, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefce82db1 11 bytes [B8, 39, AF, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefce83461 11 bytes [B8, F9, B0, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce88ef0 12 bytes [48, B8, 79, AD, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefce894c0 12 bytes [48, B8, B9, 50, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefce8bfd1 11 bytes [B8, B9, AB, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefce92af1 11 bytes [B8, F9, 4E, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefceb4350 12 bytes [48, B8, B9, 42, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefcec0c11 11 bytes [B8, 79, C9, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcec2871 8 bytes [B8, 39, 23, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcec287a 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcec28b1 11 bytes [B8, F9, 40, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff25642d 11 bytes [B8, 39, 5B, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff256484 12 bytes [48, B8, F9, 55, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff256519 11 bytes [B8, 39, 62, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff256c34 12 bytes [48, B8, 39, 54, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff257ab5 11 bytes [B8, F9, 5C, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff258b01 11 bytes [B8, B9, 57, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff258c39 11 bytes [B8, 79, 59, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefedf4ea1 11 bytes [B8, 79, EC, 94, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefedf55c8 12 bytes [48, B8, B9, 6C, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefee0b85c 12 bytes [48, B8, F9, 6A, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefee0b9d0 12 bytes [48, B8, 79, 60, 94, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[2972] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefee0ba3c 12 bytes [48, B8, B9, 5E, 94, 75, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000770d92d1 5 bytes [B8, F9, 55, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000770d92d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000770f1470 6 bytes [48, B8, F9, 5C, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000770f1478 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770f1510 6 bytes [48, B8, F9, 32, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000770f1518 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770f1530 6 bytes [48, B8, 39, 1C, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000770f1538 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000770f1550 6 bytes [48, B8, F9, 1D, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000770f1558 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770f1570 6 bytes [48, B8, 39, 5B, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000770f1578 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770f1650 6 bytes [48, B8, 79, 2F, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000770f1658 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770f1670 6 bytes [48, B8, 79, 36, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000770f1678 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770f1700 6 bytes [48, B8, B9, 34, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000770f1708 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000770f1780 6 bytes [48, B8, 39, 2A, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000770f1788 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770f1790 6 bytes [48, B8, B9, 26, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000770f1798 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000770f1cd0 6 bytes [48, B8, 79, 28, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000770f1cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770f1d30 6 bytes [48, B8, F9, 24, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000770f1d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770f20a0 6 bytes [48, B8, B9, 5E, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000770f20a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770f27e0 6 bytes [48, B8, 39, 31, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000770f27e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770f29a0 6 bytes [48, B8, 79, 60, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000770f29a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770f2a80 6 bytes [48, B8, 79, 3D, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 00000000770f2a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770f2a90 6 bytes [48, B8, B9, 3B, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 00000000770f2a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770f2b80 6 bytes [48, B8, 79, 75, 94, 75]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000770f2b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076e81c10 12 bytes [48, B8, F9, 39, 94, 75, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 0000000076e82b61 8 bytes [B8, 39, 69, 94, 75, 00, 00, ...]
.text C:\Windows\Explorer.EXE[2272] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 0000000076e82b6a 2 bytes [50, C3]
[/CODE] |
Hardcore Virus oder Dauer Pwn ?
(https://www.trojaner-board.de/162594-hardcore-virus-dauer-pwn.html)
Code-Tags?