Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
avast kann beim Scan mehrere Pfade nicht finden

avast kann beim Scan mehrere Pfade nicht finden


Log-Analyse und Auswertung: avast kann beim Scan mehrere Pfade nicht finden

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 15.04.2013, 09:55   #1
SuNi67
 
avast kann beim Scan mehrere Pfade nicht finden - Standard

avast kann beim Scan mehrere Pfade nicht finden


Guten Morgen liebes Helfer-Team,

ich habe heute morgen den PC meines Sohnes einem Virenscan unterzogen und erhielt dabei zwar keine Fundmeldung, jedoch konnten mehrer Pfade nicht geöffnet werden (ich werde versuchen den Screenshot anzuhängen). Da er den PC für wer weiß was nutzt, habe ich noch mit mbam gescant (fundfrei) und auch den Rest eurer Anleitung abgearbeitet. Beim Scannen mit GMER hatte ich gleich zu Anfang, noch vor Scanbeginn, 2 Fehlermeldungen, die ich ebenfalls als Screenshot anhänge. Und während des Scans kamen 2 Meldungen, dass auf die Datei nicht zugegriffen werden kann, weil sie von einem anderen Prozess verwendet wird, obwohl ich (wissentlich) keine weiteren Programme außer GMER geöffnet hatte.

Da ich im Höchstfall rudimentäre Ahnung von dieser Materie habe, wäre ich Euch unendlich dankbar, wenn Ihr bitte einmal über die Logs schauen würdet, ob da vielleicht doch etwas Bösartiges drauf ist, oder ob ich "nur" ein Problem mit dem Virenscaner habe.

Ich danke Euch schon mal vorab ganz herzlich für eure Hilfe

Viele Grüße
SuNi

und jetzt noch Screenshots, logs etc.

Code:
ATTFilter
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2013.04.15.03

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16540
Sanne :: SANNE2 [Administrator]

15.04.2013 09:28:41
mbam-log-2013-04-15 (09-28-41).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 304576
Laufzeit: 1 Minute(n), 53 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 09:36 on 15/04/2013 (Sanne)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
Code:
ATTFilter
OTL logfile created on: 15.04.2013 09:42:39 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Sanne\Desktop
64bit- An unknown product  (Version = 6.2.9200) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16540)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,94 Gb Total Physical Memory | 2,90 Gb Available Physical Memory | 73,44% Memory free
4,88 Gb Paging File | 3,66 Gb Available in Paging File | 74,90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1801,30 Gb Total Space | 1734,05 Gb Free Space | 96,27% Space Free | Partition Type: NTFS
Drive D: | 60,00 Gb Total Space | 44,38 Gb Free Space | 73,97% Space Free | Partition Type: NTFS
 
Computer Name: SANNE2 | User Name: Sanne | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Sanne\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Secunia\PSI\PSIA.exe (Secunia)
PRC - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation)
PRC - C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
PRC - C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe (CyberLink)
PRC - C:\Program Files (x86)\CyberLink\PowerDVD10\Device\MediaServer\CLMSServer.exe (CyberLink)
PRC - C:\Program Files (x86)\CyberLink\PowerDVD10\Device\MediaServer\CLMSMonitorService.exe (CyberLink)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\07e482b2b9035605233f2cb72408d6b1\System.ServiceModel.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\500a5dd33bb40326f8ca43e385513ec2\System.IdentityModel.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorDataMcfeeca6f#\25163a2014b376f1d6921d5554b5bf4a\IAStorDataMgrSvcInterfaces.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorCommon\5230e7b23985eaebadc20f295c04e412\IAStorCommon.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorUtil\7ac60dc1a979ea56ce302cb6c033be16\IAStorUtil.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\9c95779cc3d65cda80695cabc367476b\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\9a4fc56833542881e7e451a099562655\System.ServiceModel.Internals.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\89cc9825811c2121acd4e2e12c0ef044\SMDiagnostics.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\e1ec8b9a6d4f9af9d6065c4187fb1b5f\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\115fb9d1fa2cbda89742b1c2a0631396\System.ServiceModel.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\cf7db4fae047127374f220b4f59bea45\System.Runtime.Serialization.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\38638a559066bf7f2325a53ed53629bc\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\05cc6faa6704d01e78700561b22937e3\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\0247de206c1c48ac4f8b55df16468405\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a7811936e59aaee26b1d9d467174d6d4\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\374a0cc6603f58864831897ef723bd4a\mscorlib.ni.dll ()
MOD - C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll ()
MOD - C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (TimeBroker) -- C:\Windows\SysNative\TimeBrokerServer.dll (Microsoft Corporation)
SRV:64bit: - (SystemEventsBroker) -- C:\Windows\SysNative\SystemEventsBrokerServer.dll (Microsoft Corporation)
SRV:64bit: - (netprofm) -- C:\Windows\SysNative\netprofmsvc.dll (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (wlidsvc) -- C:\Windows\SysNative\wlidsvc.dll (Microsoft Corporation)
SRV:64bit: - (LSM) -- C:\Windows\SysNative\lsm.dll (Microsoft Corporation)
SRV:64bit: - (SbieSvc) -- C:\Program Files\Sandboxie\SbieSvc.exe (SANDBOXIE L.T.D)
SRV:64bit: - (PrintNotify) -- C:\Windows\SysNative\spool\drivers\x64\3\PrintConfig.dll (Microsoft Corporation)
SRV:64bit: - (AudioEndpointBuilder) -- C:\Windows\SysNative\AudioEndpointBuilder.dll (Microsoft Corporation)
SRV:64bit: - (WSService) -- C:\Windows\SysNative\WSService.dll (Microsoft Corporation)
SRV:64bit: - (fhsvc) -- C:\Windows\SysNative\fhsvc.dll (Microsoft Corporation)
SRV:64bit: - (BrokerInfrastructure) -- C:\Windows\SysNative\bisrv.dll (Microsoft Corporation)
SRV:64bit: - (WiaRpc) -- C:\Windows\SysNative\wiarpc.dll (Microsoft Corporation)
SRV:64bit: - (Wcmsvc) -- C:\Windows\SysNative\wcmsvc.dll (Microsoft Corporation)
SRV:64bit: - (VaultSvc) -- C:\Windows\SysNative\vaultsvc.dll (Microsoft Corporation)
SRV:64bit: - (svsvc) -- C:\Windows\SysNative\svsvc.dll (Microsoft Corporation)
SRV:64bit: - (Netlogon) -- C:\Windows\SysNative\netlogon.dll (Microsoft Corporation)
SRV:64bit: - (NcaSvc) -- C:\Windows\SysNative\NcaSvc.dll (Microsoft Corporation)
SRV:64bit: - (NcdAutoSetup) -- C:\Windows\SysNative\NcdAutoSetup.dll (Microsoft Corporation)
SRV:64bit: - (KeyIso) -- C:\Windows\SysNative\keyiso.dll (Microsoft Corporation)
SRV:64bit: - (EFS) -- C:\Windows\SysNative\efssvc.dll (Microsoft Corporation)
SRV:64bit: - (DsmSvc) -- C:\Windows\SysNative\DeviceSetupManager.dll (Microsoft Corporation)
SRV:64bit: - (DeviceAssociationService) -- C:\Windows\SysNative\das.dll (Microsoft Corporation)
SRV:64bit: - (AllUserInstallAgent) -- C:\Windows\SysNative\AUInstallAgent.dll (Microsoft Corporation)
SRV:64bit: - (vmicvss) -- C:\Windows\SysNative\icsvc.dll (Microsoft Corporation)
SRV:64bit: - (vmictimesync) -- C:\Windows\SysNative\icsvc.dll (Microsoft Corporation)
SRV:64bit: - (vmicshutdown) -- C:\Windows\SysNative\icsvc.dll (Microsoft Corporation)
SRV:64bit: - (vmicrdv) -- C:\Windows\SysNative\icsvc.dll (Microsoft Corporation)
SRV:64bit: - (vmickvpexchange) -- C:\Windows\SysNative\icsvc.dll (Microsoft Corporation)
SRV:64bit: - (vmicheartbeat) -- C:\Windows\SysNative\icsvc.dll (Microsoft Corporation)
SRV:64bit: - (Intel(R) -- C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel(R) Corporation)
SRV:64bit: - (RichVideo64) -- C:\Program Files\CyberLink\Shared files\RichVideo64.exe ()
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (Secunia PSI Agent) -- C:\Program Files (x86)\Secunia\PSI\PSIA.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files (x86)\Secunia\PSI\sua.exe (Secunia)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (PrintNotify) -- C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll (Microsoft Corporation)
SRV - (Sony SCSI Helper Service) -- C:\Program Files (x86)\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe (Sony Corporation)
SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (StorSvc) -- C:\Windows\SysWOW64\StorSvc.dll (Microsoft Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (jhi_service) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation)
SRV - (CyberLink PowerDVD 10 MS Service) -- C:\Program Files (x86)\CyberLink\PowerDVD10\Device\MediaServer\CLMSServer.exe (CyberLink)
SRV - (CyberLink PowerDVD 10 MS Monitor Service) -- C:\Program Files (x86)\CyberLink\PowerDVD10\Device\MediaServer\CLMSMonitorService.exe (CyberLink)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (aswSnx) -- C:\Windows\SysNative\drivers\aswSnx.sys (AVAST Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (AVAST Software)
DRV:64bit: - (aswVmm) -- C:\Windows\SysNative\drivers\aswVmm.sys ()
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\Drivers\aswRdr2.sys (AVAST Software)
DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (AVAST Software)
DRV:64bit: - (aswRvrt) -- C:\Windows\SysNative\drivers\aswRvrt.sys ()
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\Drivers\aswMonFlt.sys (AVAST Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (AVAST Software)
DRV:64bit: - (USBXHCI) -- C:\Windows\SysNative\Drivers\USBXHCI.SYS (Microsoft Corporation)
DRV:64bit: - (spaceport) -- C:\Windows\SysNative\Drivers\spaceport.sys (Microsoft Corporation)
DRV:64bit: - (storahci) -- C:\Windows\SysNative\Drivers\storahci.sys (Microsoft Corporation)
DRV:64bit: - (TPM) -- C:\Windows\SysNative\Drivers\tpm.sys (Microsoft Corporation)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\Drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (pdc) -- C:\Windows\SysNative\Drivers\pdc.sys (Microsoft Corporation)
DRV:64bit: - (PSI) -- C:\Windows\SysNative\Drivers\psi_mf_amd64.sys (Secunia)
DRV:64bit: - (USBHUB3) -- C:\Windows\SysNative\Drivers\USBHUB3.SYS (Microsoft Corporation)
DRV:64bit: - (BthAvrcpTg) -- C:\Windows\SysNative\Drivers\BthAvrcpTg.sys (Microsoft Corporation)
DRV:64bit: - (WdBoot) -- C:\Windows\SysNative\Drivers\WdBoot.sys (Microsoft Corporation)
DRV:64bit: - (WdFilter) -- C:\Windows\SysNative\Drivers\WdFilter.sys (Microsoft Corporation)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\Drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (msgpiowin32) -- C:\Windows\SysNative\Drivers\msgpiowin32.sys (Microsoft Corporation)
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\Drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (SbieDrv) -- C:\Program Files\Sandboxie\SbieDrv.sys (SANDBOXIE L.T.D)
DRV:64bit: - (bthhfhid) -- C:\Windows\SysNative\Drivers\BthhfHid.sys (Microsoft Corporation)
DRV:64bit: - (hidi2c) -- C:\Windows\SysNative\Drivers\hidi2c.sys (Microsoft Corporation)
DRV:64bit: - (FxPPM) -- C:\Windows\SysNative\Drivers\fxppm.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\Drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (sdstor) -- C:\Windows\SysNative\Drivers\sdstor.sys (Microsoft Corporation)
DRV:64bit: - (dam) -- C:\Windows\SysNative\Drivers\dam.sys (Microsoft Corporation)
DRV:64bit: - (UCX01000) -- C:\Windows\SysNative\Drivers\UCX01000.SYS (Microsoft Corporation)
DRV:64bit: - (GPIOClx0101) -- C:\Windows\SysNative\Drivers\msgpioclx.sys (Microsoft Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\Drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\Drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (iaStorA) -- C:\Windows\SysNative\Drivers\iaStorA.sys (Intel Corporation)
DRV:64bit: - (RtlWlanu) -- C:\Windows\SysNative\Drivers\RTWlanU.sys (Realtek Semiconductor Corporation                           )
DRV:64bit: - (RTL8192cu) -- C:\Windows\SysNative\Drivers\RTWlanU.sys (Realtek Semiconductor Corporation                           )
DRV:64bit: - (RTL8168) -- C:\Windows\SysNative\Drivers\Rt630x64.sys (Realtek                                            )
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (condrv) -- C:\Windows\SysNative\Drivers\condrv.sys (Microsoft Corporation)
DRV:64bit: - (VSTXRAID) -- C:\Windows\SysNative\Drivers\VSTXRAID.SYS (VIA Corporation)
DRV:64bit: - (VerifierExt) -- C:\Windows\SysNative\Drivers\VerifierExt.sys (Microsoft Corporation)
DRV:64bit: - (UASPStor) -- C:\Windows\SysNative\Drivers\uaspstor.sys (Microsoft Corporation)
DRV:64bit: - (acpiex) -- C:\Windows\SysNative\Drivers\acpiex.sys (Microsoft Corporation)
DRV:64bit: - (mvumis) -- C:\Windows\SysNative\Drivers\mvumis.sys (Marvell Semiconductor, Inc.)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\Drivers\stexstor.sys (Promise Technology, Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\Drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (LSI_SSS) -- C:\Windows\SysNative\Drivers\lsi_sss.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\Drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (EhStorTcgDrv) -- C:\Windows\SysNative\Drivers\EhStorTcgDrv.sys (Microsoft Corporation)
DRV:64bit: - (EhStorClass) -- C:\Windows\SysNative\Drivers\EhStorClass.sys (Microsoft Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\Drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (3ware) -- C:\Windows\SysNative\Drivers\3ware.sys (LSI)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\Drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\Drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (CLFS) -- C:\Windows\SysNative\Drivers\clfs.sys (Microsoft Corporation)
DRV:64bit: - (WFPLWFS) -- C:\Windows\SysNative\Drivers\wfplwfs.sys (Microsoft Corporation)
DRV:64bit: - (vpci) -- C:\Windows\SysNative\Drivers\vpci.sys (Microsoft Corporation)
DRV:64bit: - (terminpt) -- C:\Windows\SysNative\Drivers\terminpt.sys (Microsoft Corporation)
DRV:64bit: - (mshidumdf) -- C:\Windows\SysNative\Drivers\mshidumdf.sys (Microsoft Corporation)
DRV:64bit: - (BasicDisplay) -- C:\Windows\SysNative\Drivers\BasicDisplay.sys (Microsoft Corporation)
DRV:64bit: - (HyperVideo) -- C:\Windows\SysNative\Drivers\HyperVideo.sys (Microsoft Corporation)
DRV:64bit: - (BasicRender) -- C:\Windows\SysNative\Drivers\BasicRender.sys (Microsoft Corporation)
DRV:64bit: - (gencounter) -- C:\Windows\SysNative\Drivers\vmgencounter.sys (Microsoft Corporation)
DRV:64bit: - (kdnic) -- C:\Windows\SysNative\Drivers\kdnic.sys (Microsoft Corporation)
DRV:64bit: - (acpitime) -- C:\Windows\SysNative\Drivers\acpitime.sys (Microsoft Corporation)
DRV:64bit: - (npsvctrig) -- C:\Windows\SysNative\Drivers\npsvctrig.sys (Microsoft Corporation)
DRV:64bit: - (WpdUpFltr) -- C:\Windows\SysNative\Drivers\WpdUpFltr.sys (Microsoft Corporation)
DRV:64bit: - (acpipagr) -- C:\Windows\SysNative\Drivers\acpipagr.sys (Microsoft Corporation)
DRV:64bit: - (hyperkbd) -- C:\Windows\SysNative\Drivers\hyperkbd.sys (Microsoft Corporation)
DRV:64bit: - (SerCx) -- C:\Windows\SysNative\Drivers\SerCx.sys (Microsoft Corporation)
DRV:64bit: - (SpbCx) -- C:\Windows\SysNative\Drivers\SpbCx.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\Drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (BthHFEnum) -- C:\Windows\SysNative\Drivers\bthhfenum.sys (Microsoft Corporation)
DRV:64bit: - (dmvsc) -- C:\Windows\SysNative\Drivers\dmvsc.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\Drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (wpcfltr) -- C:\Windows\SysNative\Drivers\wpcfltr.sys (Microsoft Corporation)
DRV:64bit: - (NdisImPlatform) -- C:\Windows\SysNative\Drivers\NdisImPlatform.sys (Microsoft Corporation)
DRV:64bit: - (MsLldp) -- C:\Windows\SysNative\Drivers\mslldp.sys (Microsoft Corporation)
DRV:64bit: - (Ndu) -- C:\Windows\SysNative\Drivers\Ndu.sys (Microsoft Corporation)
DRV:64bit: - (CLVirtualDrive) -- C:\Windows\SysNative\Drivers\CLVirtualDrive.sys (CyberLink)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\Drivers\igdkmd64.sys (Intel Corporation)
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\..\SearchScopes,DefaultScope = {0C688C30-1FFE-47A6-A484-31890FF3D232}
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\..\SearchScopes\{0C688C30-1FFE-47A6-A484-31890FF3D232}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:8.0.1483
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3503.0728: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@sony.com/ReaderDesktop: C:\Program Files (x86)\Sony\ReaderDesktop\npreaderdetectmoz.dll (Sony Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.03.08 13:57:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.04.12 16:00:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.04.03 18:04:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.04.03 18:04:21 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins
 
[2013.01.12 18:42:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sanne\AppData\Roaming\mozilla\Extensions
[2013.04.12 16:00:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2013.03.08 13:57:14 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2013.04.12 16:00:45 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2013.01.05 17:11:17 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2013.01.05 17:11:17 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2013.01.05 17:11:17 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2013.01.05 17:11:17 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2013.01.05 17:11:17 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2013.01.05 17:11:17 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: hxxp://www.google.com/
CHR - Extension: Docs = C:\Users\Sanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\
CHR - Extension: Google Drive = C:\Users\Sanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\
CHR - Extension: YouTube = C:\Users\Sanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google-Suche = C:\Users\Sanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: avast! WebRep = C:\Users\Sanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\8.0.1483_0\
CHR - Extension: Google Mail = C:\Users\Sanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2012.07.26 07:26:49 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\Drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKU\S-1-5-21-1234656636-18614592-3897552348-1008\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CLMLServer_For_P2G8] C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe (CyberLink)
O4 - HKLM..\Run: [CLVirtualDrive] C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe (CyberLink Corp.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe (Intel Corporation)
O4 - HKLM..\Run: [Reader Application Helper] C:\Program Files (x86)\Sony\ReaderDesktop\appHelper\ReaderAppHelper.exe (Sony Corporation)
O4 - HKLM..\Run: [RemoteControl10] C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-1234656636-18614592-3897552348-1008..\Run: [FileHippo.com] C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe (FileHippo.com)
O4 - HKU\S-1-5-21-1234656636-18614592-3897552348-1008..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-1234656636-18614592-3897552348-1008..\Run: [SecureBanking] C:\Program Files (x86)\Secure Banking\SecureBanking.exe (Secure Banking)
O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-1234656636-18614592-3897552348-1002..\RunOnce: [HKCU] C:\Windows\System32\oobe\info\HKCU.vbs File not found
O4 - HKU\S-1-5-21-1234656636-18614592-3897552348-1008..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_Plugin.exe -update plugin File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ConfirmFileDelete = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableCursorSuppression = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found
O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O9:64bit: - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-154514-44482-15/4 File not found
O9:64bit: - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-154514-44482-15/4 File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{281685EA-5281-425D-A206-752B81C1E90D}: DhcpNameServer = 192.168.2.1 192.168.2.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\NVIDIA~1\3DVISI~1\NVSTIN~1.DLL) -  File not found
O20 - AppInit_DLLs: (C:\PROGRA~2\NVIDIA~1\3DVISI~1\nvStInit.dll) -  File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30 - LSA: Security Packages - (livessp) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.04.15 09:36:35 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Sanne\Desktop\OTL.exe
[2013.04.15 09:24:03 | 000,000,000 | ---D | C] -- C:\Users\Sanne\AppData\Roaming\Malwarebytes
[2013.04.15 09:23:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.04.15 09:23:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.04.15 09:23:44 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.04.15 09:23:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.04.15 09:22:50 | 000,000,000 | ---D | C] -- C:\Users\Sanne\AppData\Local\Programs
[2013.04.15 09:19:07 | 010,285,040 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Users\Sanne\Desktop\mbam-setup-1.75.0.1300.exe
[2013.04.12 16:00:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013.04.10 08:36:33 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013.04.10 08:36:29 | 000,915,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\uxtheme.dll
[2013.04.10 08:36:29 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013.04.10 08:36:29 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013.04.10 08:36:28 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013.04.10 08:36:28 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2013.04.10 08:36:27 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2013.04.10 08:36:27 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2013.04.10 08:36:27 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2013.04.10 08:36:27 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2013.04.10 08:36:13 | 006,991,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013.04.10 08:35:45 | 001,011,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\reseteng.dll
[2013.04.10 08:35:45 | 000,375,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ReAgent.dll
[2013.04.10 08:22:48 | 001,161,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sppobjs.dll
[2013.04.10 08:22:46 | 001,627,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll
[2013.04.10 08:22:45 | 010,116,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\twinui.dll
[2013.04.10 08:22:45 | 008,857,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\twinui.dll
[2013.04.10 08:22:43 | 005,978,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2013.04.10 08:22:43 | 001,048,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfasfsrcsnk.dll
[2013.04.10 08:22:43 | 000,850,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfasfsrcsnk.dll
[2013.04.10 08:22:43 | 000,328,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ubpm.dll
[2013.04.10 08:22:42 | 001,149,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winmde.dll
[2013.04.10 08:22:42 | 001,101,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wmpmde.dll
[2013.04.10 08:22:42 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\BCP47Langs.dll
[2013.04.10 08:22:42 | 000,327,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\Classpnp.sys
[2013.04.10 08:22:42 | 000,246,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ubpm.dll
[2013.04.10 08:22:41 | 005,091,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2013.04.10 08:22:41 | 000,951,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Windows.Globalization.dll
[2013.04.10 08:22:41 | 000,760,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll
[2013.04.10 08:22:41 | 000,645,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Windows.Security.Authentication.OnlineId.dll
[2013.04.10 08:22:41 | 000,357,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\netcfgx.dll
[2013.04.10 08:22:41 | 000,309,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\BCP47Langs.dll
[2013.04.10 08:22:40 | 002,302,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\authui.dll
[2013.04.10 08:22:40 | 000,893,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\winmde.dll
[2013.04.10 08:22:40 | 000,601,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Windows.Globalization.dll
[2013.04.10 08:22:40 | 000,455,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netcfgx.dll
[2013.04.10 08:22:40 | 000,411,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[2013.04.10 08:22:40 | 000,332,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\storport.sys
[2013.04.10 08:22:40 | 000,180,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SystemEventsBrokerServer.dll
[2013.04.10 08:22:40 | 000,171,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TimeBrokerServer.dll
[2013.04.10 08:22:39 | 000,621,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapi.dll
[2013.04.10 08:22:39 | 000,550,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\drvstore.dll
[2013.04.10 08:22:39 | 000,504,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Windows.Security.Authentication.OnlineId.dll
[2013.04.10 08:22:39 | 000,448,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SettingSync.dll
[2013.04.10 08:22:39 | 000,245,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\usbmon.dll
[2013.04.10 08:22:38 | 002,146,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\actxprxy.dll
[2013.04.10 08:22:38 | 002,033,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\authui.dll
[2013.04.10 08:22:37 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drvstore.dll
[2013.04.10 08:22:37 | 000,356,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\SettingSync.dll
[2013.04.10 08:22:37 | 000,150,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\discan.dll
[2013.04.10 08:22:37 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll
[2013.04.10 08:22:36 | 000,283,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\spaceport.sys
[2013.04.10 08:22:36 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskhost.exe
[2013.04.10 08:22:35 | 001,619,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll
[2013.04.10 08:22:34 | 000,337,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\USBXHCI.SYS
[2013.04.10 08:22:34 | 000,058,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe
[2013.04.10 08:22:33 | 000,251,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUSettingsProvider.dll
[2013.04.10 08:22:33 | 000,194,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\sdbus.sys
[2013.04.10 08:22:33 | 000,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\powercfg.cpl
[2013.04.10 08:22:33 | 000,148,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\tpm.sys
[2013.04.10 08:22:33 | 000,145,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\powercfg.cpl
[2013.04.10 08:22:33 | 000,125,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\dumpsd.sys
[2013.04.10 08:22:33 | 000,117,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\NdisImPlatform.dll
[2013.04.10 08:22:33 | 000,077,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\storahci.sys
[2013.04.10 08:22:33 | 000,072,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskhostex.exe
[2013.04.10 08:22:33 | 000,069,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\pdc.sys
[2013.04.10 08:22:32 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\storewuauth.dll
[2013.04.10 08:22:32 | 000,141,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll
[2013.04.10 08:22:32 | 000,128,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SettingSyncInfo.dll
[2013.04.10 08:22:32 | 000,125,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuwebv.dll
[2013.04.10 08:22:32 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\SettingSyncInfo.dll
[2013.04.10 08:22:32 | 000,083,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wudriver.dll
[2013.04.10 08:22:32 | 000,071,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WSDPrintProxy.DLL
[2013.04.10 08:22:32 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DevDispItemProvider.dll
[2013.04.10 08:22:30 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll
[2013.04.10 08:22:29 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe
[2013.04.10 08:22:29 | 000,036,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\DevDispItemProvider.dll
[2013.04.10 08:22:29 | 000,034,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapp.exe
[2013.04.03 18:04:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird
[2013.04.02 16:52:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2013.03.19 22:24:45 | 000,000,000 | ---D | C] -- C:\ProgramData\kinoma
 
========== Files - Modified Within 30 Days ==========
 
[2013.04.15 09:39:38 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.04.15 09:36:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Sanne\Desktop\OTL.exe
[2013.04.15 09:35:17 | 000,000,000 | ---- | M] () -- C:\Users\Sanne\defogger_reenable
[2013.04.15 09:33:48 | 000,050,477 | ---- | M] () -- C:\Users\Sanne\Desktop\Defogger.exe
[2013.04.15 09:23:45 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.04.15 09:21:51 | 000,001,120 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.04.15 09:19:19 | 010,285,040 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Users\Sanne\Desktop\mbam-setup-1.75.0.1300.exe
[2013.04.15 09:03:31 | 000,001,124 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.04.15 08:34:27 | 001,748,838 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.04.15 08:34:27 | 000,752,930 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.04.15 08:34:27 | 000,711,084 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.04.15 08:34:27 | 000,156,156 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.04.15 08:34:27 | 000,132,952 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.04.15 08:31:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.04.15 08:29:42 | 268,435,456 | -HS- | M] () -- C:\swapfile.sys
[2013.04.15 08:29:38 | 3387,179,008 | -HS- | M] () -- C:\hiberfil.sys
[2013.04.12 19:21:03 | 000,001,892 | ---- | M] () -- C:\Windows\Sandboxie.ini
[2013.04.11 13:03:34 | 000,002,187 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013.04.10 09:00:24 | 000,386,904 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.04.04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.04.03 00:08:01 | 000,692,576 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013.04.03 00:08:01 | 000,078,176 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013.04.02 16:56:38 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
 
========== Files Created - No Company Name ==========
 
[2013.04.15 09:35:17 | 000,000,000 | ---- | C] () -- C:\Users\Sanne\defogger_reenable
[2013.04.15 09:33:47 | 000,050,477 | ---- | C] () -- C:\Users\Sanne\Desktop\Defogger.exe
[2013.04.15 09:23:45 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.04.10 09:00:13 | 000,386,904 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.04.10 08:22:29 | 000,387,867 | ---- | C] () -- C:\Windows\SysNative\ApnDatabase.xml
[2013.03.14 11:32:28 | 000,001,892 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2013.02.20 10:49:46 | 000,007,605 | ---- | C] () -- C:\Users\Sanne\AppData\Local\Resmon.ResmonCfg
[2012.11.29 12:40:18 | 000,083,968 | ---- | C] () -- C:\Windows\SysWow64\OEMLicense.dll
[2012.09.10 12:57:43 | 012,317,888 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012.07.26 10:13:10 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2012.07.26 10:13:09 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2012.07.26 09:21:26 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2012.07.26 03:17:42 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2012.07.25 22:37:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2012.07.25 22:28:31 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2012.07.25 22:22:56 | 000,733,840 | ---- | C] () -- C:\Windows\SysWow64\igcodeckrng700.bin
[2012.07.25 22:22:56 | 000,492,340 | ---- | C] () -- C:\Windows\SysWow64\igvpkrng700.bin
[2012.06.19 19:52:42 | 000,001,536 | ---- | C] () -- C:\Windows\SysWow64\IusEventLog.dll
[2012.06.02 16:31:19 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
 
========== ZeroAccess Check ==========
 
[2013.02.11 17:50:51 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013.03.02 04:45:01 | 019,748,864 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013.03.02 10:23:07 | 017,560,576 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2012.07.26 05:05:38 | 001,004,544 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2012.07.26 05:18:27 | 000,784,896 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2012.07.26 05:07:41 | 000,455,680 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2012.11.29 13:07:35 | 000,000,000 | ---D | M] -- C:\Users\Internet\AppData\Roaming\Lenovo
[2012.12.17 15:08:45 | 000,000,000 | ---D | M] -- C:\Users\Internet\AppData\Roaming\Thunderbird
[2012.11.29 15:57:05 | 000,000,000 | ---D | M] -- C:\Users\Jürgen\AppData\Roaming\GetRightToGo
[2012.11.29 12:23:02 | 000,000,000 | ---D | M] -- C:\Users\Jürgen\AppData\Roaming\Lenovo
[2012.11.29 12:51:15 | 000,000,000 | ---D | M] -- C:\Users\Jürgen\AppData\Roaming\Thunderbird
[2012.11.29 16:28:30 | 000,000,000 | ---D | M] -- C:\Users\Philipp\AppData\Roaming\Lenovo
[2013.03.06 17:05:59 | 000,000,000 | ---D | M] -- C:\Users\Philipp\AppData\Roaming\LolClient
[2012.12.16 12:45:08 | 000,000,000 | ---D | M] -- C:\Users\Philipp\AppData\Roaming\Thunderbird
[2013.01.12 20:10:28 | 000,000,000 | ---D | M] -- C:\Users\Sanne\AppData\Roaming\Lenovo
[2013.03.12 11:36:48 | 000,000,000 | ---D | M] -- C:\Users\Sanne\AppData\Roaming\Thunderbird
 
========== Purity Check ==========
 
 

< End of report >
Code:
ATTFilter
OTL Extras logfile created on: 15.04.2013 09:42:39 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Sanne\Desktop
64bit- An unknown product  (Version = 6.2.9200) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16540)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,94 Gb Total Physical Memory | 2,90 Gb Available Physical Memory | 73,44% Memory free
4,88 Gb Paging File | 3,66 Gb Available in Paging File | 74,90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1801,30 Gb Total Space | 1734,05 Gb Free Space | 96,27% Space Free | Partition Type: NTFS
Drive D: | 60,00 Gb Total Space | 44,38 Gb Free Space | 73,97% Space Free | Partition Type: NTFS
 
Computer Name: SANNE2 | User Name: Sanne | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-1234656636-18614592-3897552348-1008\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\OpenWith.exe "%1" (Microsoft Corporation)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Miniaturansicht angehängter Grafiken
avast kann beim Scan mehrere Pfade nicht finden-avast-ergebnis.jpg   avast kann beim Scan mehrere Pfade nicht finden-gmer-fehlermeldung1.jpg   avast kann beim Scan mehrere Pfade nicht finden-gmer-fehlermldung2.jpg  

Alt 15.04.2013, 10:04   #2
SuNi67
 
avast kann beim Scan mehrere Pfade nicht finden - Standard

avast kann beim Scan mehrere Pfade nicht finden


Und jetzt noch das log von gmer, das leider Überlänge hat, so dass ich es in 3 Teilen schicke:
Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-04-15 10:03:08
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000035 ST2000DM001-9YN164 rev.CC4G 1863,02GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Sanne\AppData\Local\Temp\uwtoypog.sys


---- User code sections - GMER 2.1 ----

.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                    000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                             000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                             000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                  000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                        000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                             000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                      000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                         000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                               000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                             000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                           000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                       000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                            000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                         000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                            000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                 000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                         000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                      000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                            000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                         000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                          000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                             000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                      000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                         000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                              000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                         000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                         000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                           000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                        000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                              000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                           000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                              000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                               000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                        000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                       000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                          000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                        000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                    000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                     000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                          000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                          000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                           000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                      000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\System32\smss.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                              000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                   000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                            000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                            000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                 000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                       000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                            000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                     000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                        000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                              000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                            000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                          000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                      000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                           000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                        000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                           000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                               000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                        000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                     000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                           000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                        000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                         000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                            000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                     000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                        000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                             000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                        000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                        000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                               000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                          000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                       000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                             000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                          000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                             000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                              000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                       000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                      000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                         000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                       000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                   000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                    000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                         000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                         000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                          000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                     000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                             000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163                                                  000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                 000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                          000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                          000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                               000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                   000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                      000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                            000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                          000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                    000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                         000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                             000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                      000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                   000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                         000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                      000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                          000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                   000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                      000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                      000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                      000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                             000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                        000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                     000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                           000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                        000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                           000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                            000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                     000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                    000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                       000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                     000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                  000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                       000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                        000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                           000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\services.exe[684] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                   000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                            000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                            000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                 000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                       000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                            000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                     000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                        000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                              000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                            000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                          000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                      000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                           000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                        000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                           000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                               000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                        000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                     000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                           000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                        000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                         000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                            000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                     000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                        000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                             000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                        000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                        000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                               000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                          000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                       000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                             000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                          000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                             000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                              000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                       000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                      000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                         000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                       000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                   000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                    000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                         000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                         000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                          000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                     000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                             000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                 000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                          000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                          000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                               000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                   000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                      000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                            000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                          000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                    000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                         000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                             000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                      000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                   000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                         000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                      000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                          000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                   000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                      000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                      000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                      000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                             000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                        000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                     000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                           000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                        000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                           000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                            000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                     000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                    000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                       000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                     000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                  000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                       000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                        000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                           000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                                000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                  000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                           000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                           000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                      000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                           000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                    000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                       000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                             000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                           000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                         000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                     000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                          000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                       000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                          000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                               000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                              000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                       000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                    000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                          000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                       000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                        000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                           000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                    000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                       000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                            000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                       000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                       000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                              000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                         000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                      000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                            000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                         000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                            000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                             000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                      000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                     000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                        000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                      000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                  000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                   000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                        000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                        000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                         000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                    000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                            000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\nvvsvc.exe[900] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                                 000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                 000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                          000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                          000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                               000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                   000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                      000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                            000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                          000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                    000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                         000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                             000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                      000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                   000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                         000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                      000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                          000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                   000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                      000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                      000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                      000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                             000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                        000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                     000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                           000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                        000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                           000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                            000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                     000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                    000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                       000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                     000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                  000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                       000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                        000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                           000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                 000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                          000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                          000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                               000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                   000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                      000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                            000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                          000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                    000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                         000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                             000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                      000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                   000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                         000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                      000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                          000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                   000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                      000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                      000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                      000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                             000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                        000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                     000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                           000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                        000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                           000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                            000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                     000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                    000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                       000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                     000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                  000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                       000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                        000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                           000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\svchost.exe[372] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                                000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                 000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                          000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                          000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                               000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                   000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                      000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                            000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                          000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                    000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                         000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                             000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                      000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                   000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                         000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                      000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                          000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                   000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                      000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                      000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                      000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                             000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                        000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                     000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                           000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                        000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                           000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                            000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                     000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                    000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                       000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                     000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                  000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                       000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                        000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                           000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\svchost.exe[412] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                                000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
__________________
Alt 15.04.2013, 10:06   #3
SuNi67
 
avast kann beim Scan mehrere Pfade nicht finden - Standard

avast kann beim Scan mehrere Pfade nicht finden


Teil 2 gmer.log:

Code:
ATTFilter
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                         000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                  000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                  000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                       000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                             000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                  000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                           000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                              000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                    000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                  000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                            000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                 000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                              000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                 000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                      000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                     000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                              000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                           000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                 000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                              000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                               000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                  000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                           000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                              000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                   000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                              000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                              000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                     000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                             000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                   000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                   000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                    000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                             000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                            000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                               000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                             000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                         000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                          000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                               000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                               000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                           000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                   000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files\Sandboxie\SbieSvc.exe[1232] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                        000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\svchost.exe[1328] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                       000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                               000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                      000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                      000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                               000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                            000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\user32.dll!UnhookWindowsHookEx                                                  000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExW                                                    000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\user32.dll!UnhookWinEvent                                                       000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\user32.dll!SetWinEventHook                                                      000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\system32\dashost.exe[2676] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExA                                                    000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                              000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                       000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                       000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                            000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                  000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                       000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                   000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                         000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                       000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                     000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                 000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                      000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                   000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                      000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                           000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                          000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                   000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                      000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                   000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                    000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                       000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                   000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                        000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                   000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                   000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                          000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                     000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                  000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                        000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                     000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                        000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                         000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                  000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                 000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                    000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                  000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                              000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                               000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                    000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                    000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                     000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                        000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                             000007fd0ebdab4f 1 byte [62]
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                  000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\system32\USER32.dll!UnhookWinEvent                                     000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\system32\USER32.dll!SetWinEventHook                                    000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                  000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                     000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                             000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                    000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                              000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                    000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                             000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                              000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Program Files\Intel\iCLS Client\HeciServer.exe[2808] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                          000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                        000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                 000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                 000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                      000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                            000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                 000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                          000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                             000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                   000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                 000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                               000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                           000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                             000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                     000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                    000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                             000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                          000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                             000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                              000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                 000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                          000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                             000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                  000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                             000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                             000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                    000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                               000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                            000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                  000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                               000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                  000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                   000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                            000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                           000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                              000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                            000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                        000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                         000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                              000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                              000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                               000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                          000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                  000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                          000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\system32\USER32.dll!SetWindowsHookExW                            000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\system32\USER32.dll!UnhookWinEvent                               000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\system32\USER32.dll!SetWinEventHook                              000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\system32\USER32.dll!SetWindowsHookExA                            000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!DeleteService                               000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                       000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                              000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                        000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                              000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                       000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                        000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2940] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                    000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                          000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                   000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                   000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                        000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                              000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                   000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                            000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                               000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                     000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                   000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                 000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                             000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                  000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                               000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                  000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                       000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                      000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                               000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                            000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                  000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                               000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                   000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                            000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                               000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                    000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                               000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                               000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                      000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                 000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                              000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                    000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                 000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                    000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                     000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                              000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                             000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                              000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                          000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                           000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                 000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                            000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                    000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                            000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                              000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\USER32.dll!UnhookWinEvent                                                 000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\USER32.dll!SetWinEventHook                                                000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                              000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                 000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                         000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                          000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                         000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                          000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                      000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                       000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                               000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                      000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                      000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                               000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                            000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\user32.dll!UnhookWindowsHookEx                                                  000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExW                                                    000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\user32.dll!UnhookWinEvent                                                       000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\user32.dll!SetWinEventHook                                                      000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExA                                                    000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                       000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                               000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                      000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                      000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                               000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\svchost.exe[3468] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                            000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                               000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                        000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                        000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                             000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                   000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                        000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                 000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                    000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                          000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                        000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                      000007fd11793080 1 byte JMP 000007fd91960310
__________________
Alt 15.04.2013, 10:08   #4
SuNi67
 
avast kann beim Scan mehrere Pfade nicht finden - Standard

avast kann beim Scan mehrere Pfade nicht finden


Teil 3 gmer.log

Code:
ATTFilter
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                  000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                       000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                    000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                       000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                            000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                           000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                    000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                 000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                       000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                    000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                     000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                        000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                 000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                    000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                         000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                    000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                    000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                           000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                      000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                   000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                         000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                      000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                         000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                          000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                   000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                  000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                     000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                   000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                               000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                     000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                     000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                      000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                 000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                         000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                 000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                   000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\system32\USER32.dll!UnhookWinEvent                                                      000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\system32\USER32.dll!SetWinEventHook                                                     000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                   000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                      000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                              000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                     000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                               000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                     000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                              000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                               000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\System32\WUDFHost.exe[4284] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                           000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\csrss.exe[4980] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163                                                 000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                              000007fd11792d60 5 bytes JMP 000007fd91950b14
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                  000007fd11792dc0 5 bytes JMP 000007fd91950ecc
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                   000007fd11792ea0 5 bytes JMP 000007fd9195163c
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                               000007fd117930e0 5 bytes JMP 000007fd91951284
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                   000007fd11794251 5 bytes JMP 000007fd919519f4
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                         000007fd1179fad0 5 bytes JMP 000007fd9195075c
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                           000007fd117adfe4 5 bytes JMP 000007fd919503a4
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                                              000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                 000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                   000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\system32\USER32.dll!UnhookWinEvent                                                      000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\system32\USER32.dll!SetWinEventHook                                                     000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                   000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                      000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                              000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                     000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                               000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                     000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                              000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                               000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\winlogon.exe[5060] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                           000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                    000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                             000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                             000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                  000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                        000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                             000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                      000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                         000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                               000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                             000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                           000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                       000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                            000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                         000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                            000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                 000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                         000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                      000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                            000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                         000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                          000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                             000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                      000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                         000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                              000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                         000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                         000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                           000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                        000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                              000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                           000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                              000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                               000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                        000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                       000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                          000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                        000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                    000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                     000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                          000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                          000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                           000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                      000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                              000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                                                   000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                      000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                        000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\USER32.dll!UnhookWinEvent                                                           000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\USER32.dll!SetWinEventHook                                                          000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                        000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                           000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                   000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                          000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                    000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                          000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                   000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                    000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                                            000007fd113a177a 4 bytes [3A, 11, FD, 07]
.text   C:\Windows\system32\dwm.exe[4532] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                                            000007fd113a1782 4 bytes [3A, 11, FD, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                       000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                     000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                           000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                         000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                            000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                  000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                              000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                          000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                               000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                            000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                               000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                    000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                   000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                            000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                         000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                               000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                            000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                             000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                         000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                            000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                 000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                            000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                            000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                   000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                              000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                           000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                 000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                              000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                 000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                  000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                           000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                          000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                             000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                           000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                       000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                        000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                             000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                             000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                              000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                         000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                 000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                      000007fd0ebdab4f 1 byte [62]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                         000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\system32\USER32.dll!SetWindowsHookExW                           000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\system32\USER32.dll!UnhookWinEvent                              000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\system32\USER32.dll!SetWinEventHook                             000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\system32\USER32.dll!SetWindowsHookExA                           000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!DeleteService                              000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                      000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                             000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                       000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                             000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                      000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                       000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                   000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                         000007fd0b151532 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                         000007fd0b15153a 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3380] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                       000007fd0b15165a 4 bytes [15, 0B, FD, 07]
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                 000007fd11792d60 5 bytes JMP 000007fd91950b14
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                     000007fd11792dc0 5 bytes JMP 000007fd91950ecc
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                      000007fd11792ea0 5 bytes JMP 000007fd9195163c
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                  000007fd117930e0 5 bytes JMP 000007fd91951284
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                      000007fd11794251 5 bytes JMP 000007fd919519f4
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                            000007fd1179fad0 5 bytes JMP 000007fd9195075c
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                              000007fd117adfe4 5 bytes JMP 000007fd919503a4
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                                                 000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                    000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                      000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\USER32.dll!UnhookWinEvent                                                         000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\USER32.dll!SetWinEventHook                                                        000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                      000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                         000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                 000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                        000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                  000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                        000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                 000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                  000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                              000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\MSIMG32.dll!GradientFill + 690                                                    000007fd0b151532 4 bytes [15, 0B, FD, 07]
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\MSIMG32.dll!GradientFill + 698                                                    000007fd0b15153a 4 bytes [15, 0B, FD, 07]
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246                                                  000007fd0b15165a 4 bytes [15, 0B, FD, 07]
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                                          000007fd113a177a 4 bytes [3A, 11, FD, 07]
.text   C:\Windows\system32\nvvsvc.exe[752] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                                          000007fd113a1782 4 bytes [3A, 11, FD, 07]
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                            000007fd11792d60 5 bytes JMP 000007fd91950b14
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                000007fd11792dc0 5 bytes JMP 000007fd91950ecc
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                 000007fd11792ea0 5 bytes JMP 000007fd9195163c
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                             000007fd117930e0 5 bytes JMP 000007fd91951284
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                 000007fd11794251 5 bytes JMP 000007fd919519f4
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                       000007fd1179fad0 5 bytes JMP 000007fd9195075c
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                         000007fd117adfe4 5 bytes JMP 000007fd919503a4
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                    000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                            000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                   000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                             000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                   000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                            000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                             000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                         000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\user32.dll!UnhookWindowsHookEx                                               000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExW                                                 000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\user32.dll!UnhookWinEvent                                                    000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\user32.dll!SetWinEventHook                                                   000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\system32\taskhostex.exe[4568] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExA                                                 000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                        000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                 000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                 000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                      000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                            000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                 000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                          000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                             000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                   000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                 000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                               000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                           000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                             000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                     000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                    000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                             000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                          000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                             000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                              000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                 000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                          000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                             000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                  000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                             000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                             000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                    000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                               000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                            000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                  000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                               000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                  000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                   000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                            000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                           000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                              000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                            000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                        000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                         000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                              000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                              000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                               000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                          000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                  000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                                                       000007fd0ebdab4f 1 byte [62]
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                          000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                            000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\USER32.dll!UnhookWinEvent                                                               000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\USER32.dll!SetWinEventHook                                                              000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                            000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                               000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                       000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                              000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                        000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                              000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                       000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                        000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                    000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                                                000007fd113a177a 4 bytes [3A, 11, FD, 07]
.text   C:\Windows\Explorer.EXE[2776] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                                                000007fd113a1782 4 bytes [3A, 11, FD, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                         000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                  000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                  000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                       000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                             000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                  000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                           000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                              000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                    000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                  000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                            000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                 000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                              000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                 000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                      000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                     000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                              000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                           000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                 000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                              000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                               000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                  000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                           000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                              000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                   000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                              000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                              000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                     000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                             000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                   000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                   000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                    000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                             000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                            000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                               000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                             000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                         000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                          000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                               000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                               000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                           000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                   000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                        000007fd0ebdab4f 1 byte [62]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                           000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\system32\USER32.dll!SetWindowsHookExW                             000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\system32\USER32.dll!UnhookWinEvent                                000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\system32\USER32.dll!SetWinEventHook                               000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\system32\USER32.dll!SetWindowsHookExA                             000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                           000007fd0b151532 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                           000007fd0b15153a 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                         000007fd0b15165a 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                        000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                               000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                         000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                               000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                        000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                         000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4456] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                     000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163                               000007fd0ebdab4f 1 byte [62]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                  000007fd10fa2120 5 bytes JMP 000007fd910f1284
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                    000007fd10fabee0 5 bytes JMP 000007fd910f0ecc
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\system32\USER32.dll!UnhookWinEvent                                       000007fd10fae030 5 bytes JMP 000007fd910f075c
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\system32\USER32.dll!SetWinEventHook                                      000007fd10fb2f70 5 bytes JMP 000007fd910f03a4
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                    000007fd10fd1850 5 bytes JMP 000007fd910f0b14
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                  000007fd0b151532 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                  000007fd0b15153a 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                000007fd0b15165a 4 bytes [15, 0B, FD, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                       000007fd11417510 5 bytes JMP 000007fd91460b14
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                               000007fd11417550 5 bytes JMP 000007fd914619f4
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                      000007fd114175d0 5 bytes JMP 000007fd9146075c
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                000007fd11417b20 5 bytes JMP 000007fd91461284
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                      000007fd1143b034 5 bytes JMP 000007fd914603a4
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                               000007fd1143b2e4 5 bytes JMP 000007fd9146163c
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                000007fd1143b470 5 bytes JMP 000007fd91460ecc
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3368] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                            000007fd1143b6d4 5 bytes JMP 000007fd91461dac
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                         000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                         000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                              000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                         000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                  000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                     000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                           000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                         000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                       000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2                                                   000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                        000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                     000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                        000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                             000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                            000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                     000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                  000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                        000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                     000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                      000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                         000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                  000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                     000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                          000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                     000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                     000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                            000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                       000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                    000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                          000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                       000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                          000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                           000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                    000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                   000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                      000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                 000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                      000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                      000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                       000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                  000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                          000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Windows\system32\AUDIODG.EXE[2960] C:\Windows\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 163                                               000007fd0ebdab4f 1 byte [62]
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort          000007fd11792c90 5 bytes JMP 000007fd91960460
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                   000007fd11792ce0 5 bytes JMP 000007fd91960450
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                   000007fd11792e40 5 bytes JMP 000007fd91960370
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx        000007fd11792e90 5 bytes JMP 000007fd91960470
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess              000007fd11792ea0 5 bytes JMP 000007fd919603e0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                   000007fd11792f50 5 bytes JMP 000007fd91960320
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory            000007fd11792f80 5 bytes JMP 000007fd919603b0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject               000007fd11792fa0 5 bytes JMP 000007fd91960390
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                     000007fd11792fe0 5 bytes JMP 000007fd919602e0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                   000007fd11793060 5 bytes JMP 000007fd919602d0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                 000007fd11793080 1 byte JMP 000007fd91960310
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2             000007fd11793082 3 bytes {JMP 0xffffffff801cd290}
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                  000007fd117930c0 5 bytes JMP 000007fd919603c0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread               000007fd11793110 5 bytes JMP 000007fd919603f0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                  000007fd11793281 5 bytes JMP 000007fd91960230
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort       000007fd11793471 5 bytes JMP 000007fd91960480
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject      000007fd117934a1 5 bytes JMP 000007fd919603a0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair               000007fd117935b1 5 bytes JMP 000007fd919602f0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion            000007fd117935d1 5 bytes JMP 000007fd91960350
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                  000007fd11793641 5 bytes JMP 000007fd91960290
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore               000007fd117936d1 5 bytes JMP 000007fd919602b0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                000007fd117936f1 5 bytes JMP 000007fd919603d0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                   000007fd11793701 5 bytes JMP 000007fd91960330
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess            000007fd117937a1 5 bytes JMP 000007fd91960410
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry               000007fd117937d1 5 bytes JMP 000007fd91960240
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                    000007fd11793ae1 5 bytes JMP 000007fd919601e0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry               000007fd11793ba1 5 bytes JMP 000007fd91960250
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey               000007fd11793bd1 5 bytes JMP 000007fd91960490
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys      000007fd11793be1 5 bytes JMP 000007fd919604a0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                 000007fd11793c11 5 bytes JMP 000007fd91960300
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion              000007fd11793c21 5 bytes JMP 000007fd91960360
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                    000007fd11793c81 5 bytes JMP 000007fd919602a0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                 000007fd11793cd1 5 bytes JMP 000007fd919602c0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                    000007fd11793d01 5 bytes JMP 000007fd91960380
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                     000007fd11793d11 5 bytes JMP 000007fd91960340
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx              000007fd11794021 5 bytes JMP 000007fd91960440
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder             000007fd11794221 5 bytes JMP 000007fd91960260
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                000007fd11794231 5 bytes JMP 000007fd91960270
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread              000007fd11794251 5 bytes JMP 000007fd91960400
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation          000007fd11794431 5 bytes JMP 000007fd919601f0
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState           000007fd11794441 5 bytes JMP 000007fd91960210
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                000007fd117944b1 5 bytes JMP 000007fd91960200
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                000007fd11794521 5 bytes JMP 000007fd91960420
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                 000007fd11794531 5 bytes JMP 000007fd91960430
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl            000007fd11794541 5 bytes JMP 000007fd91960220
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                    000007fd11794651 5 bytes JMP 000007fd91960280
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163         000007fd0ebdab4f 1 byte [62]
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306  000007fd113a177a 4 bytes [3A, 11, FD, 07]
.text   C:\Program Files (x86)\Lenovo\LenovoQuickLaunch\LenovoQuickLaunch.exe[4052] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314  000007fd113a1782 4 bytes [3A, 11, FD, 07]

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [4980:4904]                                                                                                 fffff960008e75e8

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                                     unknown MBR code

---- EOF - GMER 2.1 ----

Antwort

Themen zu avast kann beim Scan mehrere Pfade nicht finden
adobe, antivirus, aswrvrt.sys, autorun, avast, bho, defender, down, error, explorer, firefox, flash player, format, helper, homepage, iexplore.exe, install.exe, logfile, pando media booster, problem, prozess, realtek, registry, rundll, scan, secunia psi, security, software


« GVU Trojaner April 2013 - Wie kann ich den löschen? | Laptop hängt und ständig Bluescreens »


Ähnliche Themen: avast kann beim Scan mehrere Pfade nicht finden


  1. Avast Web-Schutz blockiert 64-up.to kann aber den Auslöser nicht finden
    Log-Analyse und Auswertung - 01.08.2015 (3)
  2. Windows 7 Starter: Avast Scan meldet Rootkits, bei zweitem Scan keine mehr
    Log-Analyse und Auswertung - 25.09.2014 (18)
  3. avast scan kann Dateien nicht prüfen, blockiert an einem Tag mehrere Angriffe
    Plagegeister aller Art und deren Bekämpfung - 25.08.2014 (25)
  4. Win Vista - Kann Bluetooth Lautsprecher nicht finden
    Netzwerk und Hardware - 05.01.2014 (3)
  5. Avast Fehler: Das System kann den angegebenen Pfad nicht finden (3)
    Log-Analyse und Auswertung - 01.06.2013 (37)
  6. Ich habe einen Trojaner und kann ihn beim scanen nicht finden!
    Plagegeister aller Art und deren Bekämpfung - 20.04.2013 (9)
  7. Kann datei nicht finden !
    Log-Analyse und Auswertung - 10.04.2012 (3)
  8. Avira erst Warnung HTML/Infected.WebPage.Gen2 beim Scan dann mehrere versteckte Objekte gefunden
    Log-Analyse und Auswertung - 23.01.2012 (21)
  9. Avast meldet einen Fehler beim Scan und zwar infiziert von Java: Agent-VN (Expl)
    Plagegeister aller Art und deren Bekämpfung - 07.11.2011 (1)
  10. Mein PC kann das Provil nicht finden
    Log-Analyse und Auswertung - 07.05.2011 (1)
  11. Virus den ich nicht finden kann
    Mülltonne - 25.04.2011 (1)
  12. ! Virus! Ich weis das er da ist. Aber kann ihn nicht finden.
    Plagegeister aller Art und deren Bekämpfung - 21.04.2011 (5)
  13. Kann passenden Mainboard-Treiber nicht finden.
    Netzwerk und Hardware - 28.02.2010 (7)
  14. Kann den Trojaner nicht finden
    Plagegeister aller Art und deren Bekämpfung - 28.10.2007 (10)
  15. Onlinekasino Popup / kann den Schädling nicht finden
    Log-Analyse und Auswertung - 21.09.2007 (1)
  16. trojan.linkoptimizer - kann die Datei nicht finden
    Plagegeister aller Art und deren Bekämpfung - 12.09.2006 (2)
  17. Warnungen: kann nicht geöffnet werden beim Scan
    Plagegeister aller Art und deren Bekämpfung - 12.07.2006 (3)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema avast kann beim Scan mehrere Pfade nicht finden - Guten Morgen liebes Helfer-Team, ich habe heute morgen den PC meines Sohnes einem Virenscan unterzogen und erhielt dabei zwar keine Fundmeldung, jedoch konnten mehrer Pfade nicht geöffnet werden (ich werde - avast kann beim Scan mehrere Pfade nicht finden...
Archiv
Du betrachtest: avast kann beim Scan mehrere Pfade nicht finden auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130