| |
| |||||||
Log-Analyse und Auswertung: Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-DatenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
09.10.2013, 08:12
| #16 |
 |  Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten GMER Teil 13: Code:
ATTFilter .text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007feffb30761 3 bytes [B8, 79, F3]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69 000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text C:\Program Files\iPod\bin\iPodService.exe[5988] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077931338 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000779313a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077931478 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077931518 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077931538 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077931558 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077931628 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077931658 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077931678 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077931708 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077931758 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077931788 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077931798 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077931808 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000779318b8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077931c88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077931cd8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077931d38 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000779320a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000779325e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000779327e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000779329a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077932aa8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077932b88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000779a3201 3 bytes [B8, F9, 7F]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5 00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007feffb30761 3 bytes [B8, 79, F3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69 000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefdb2a480 12 bytes [48, B8, 79, 60, 08, 76, 00, ...]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5560] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefdb2b3ed 11 bytes [B8, B9, 5E, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077931338 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000779313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077931478 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077931518 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077931538 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077931558 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077931628 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077931658 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077931678 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077931708 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077931758 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077931788 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077931798 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077931808 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000779318b8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077931c88 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077931cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077931d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000779320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000779325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000779327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000779329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077932aa8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000779a3201 3 bytes [B8, F9, 7F]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5 00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff8713b1 3 bytes [B8, B9, B9]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!WSASend + 5 000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!closesocket 000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff872201 3 bytes [B8, B9, DC]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!WSARecv + 5 000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!connect 000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!send + 1 000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff878df9 3 bytes [00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff87de91 3 bytes [B8, B9, D5]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!socket + 5 000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff87df41 3 bytes [B8, F9, DA]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!recv + 5 000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[5944] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077931338 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000779313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077931478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077931518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077931538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077931558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077931628 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077931658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077931678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077931708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077931758 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077931788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077931798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077931808 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000779318b8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077931c88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077931cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077931d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000779320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000779325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000779327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000779329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077932aa8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077932b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000779a3201 3 bytes [B8, F9, 7F]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5 00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!CreateWindowExA 00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!PostMessageA + 1 00000000776ca405 3 bytes [B8, B9, E3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!PostMessageA + 5 00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!CallNextHookEx + 1 00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowW + 1 00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowW + 9 00000000776cd26d 3 bytes [00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8 00000000776cd448 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1 00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9 00000000776cf87d 3 bytes [00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!CreateWindowExW 00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!ShowWindow 00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!ShowWindow + 8 00000000776d1938 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!PeekMessageA + 1 00000000776d3a19 3 bytes [B8, B9, 6C]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!PeekMessageA + 5 00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!GetMessageA + 1 00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowTextW + 1 00000000776d7055 3 bytes [B8, B9, B2]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowTextW + 5 00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!PostMessageW + 1 00000000776d76e5 11 bytes [B8, 79, E5, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!PeekMessageW + 1 00000000776d8fd1 3 bytes [B8, 79, 6E]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!PeekMessageW + 5 00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!GetMessageW 00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1 00000000776da2c9 3 bytes [B8, 79, F3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5 00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1 00000000776e4efd 3 bytes [B8, B9, AB]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5 00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1 00000000776e7469 3 bytes [B8, F9, A9]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5 00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowA + 1 00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowA + 9 00000000776e8279 3 bytes [00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1 00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10 00000000776e8c2a 2 bytes [50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowExW + 1 00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowExW + 9 00000000776e8d29 3 bytes [00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!MessageBoxExA + 1 0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!MessageBoxExW + 1 0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowTextA + 1 000000007773d379 3 bytes [B8, F9, B0]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!SetWindowTextA + 5 000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowExA + 1 000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text C:\Windows\system32\taskeng.exe[5460] C:\Windows\system32\USER32.dll!FindWindowExA + 9 000000007773dae9 3 bytes [00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077931338 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000779313a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077931478 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077931518 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077931538 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077931558 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077931628 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077931658 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077931678 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077931708 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077931758 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077931788 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077931798 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077931808 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000779318b8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077931c88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077931cd8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077931d38 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000779320a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000779325e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000779327e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000779329a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077932aa8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077932b88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000779a3201 3 bytes [B8, F9, 7F]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5 00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007feffb30761 3 bytes [B8, 79, F3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69 000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[6612] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077931338 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000779313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077931478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077931518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077931538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077931558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077931628 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077931658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077931678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077931708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077931758 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077931788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077931798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
|
|
09.10.2013, 08:14
| #17 |
| | Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten GMER Teil 14:
__________________Code:
ATTFilter .text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077931808 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000779318b8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077931c88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077931cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077931d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000779320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000779325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000779327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000779329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077932aa8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077932b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000779a3201 3 bytes [B8, F9, 7F]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5 00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!CreateWindowExA 00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!PostMessageA + 1 00000000776ca405 3 bytes [B8, B9, E3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!PostMessageA + 5 00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!CallNextHookEx + 1 00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowW + 1 00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowW + 9 00000000776cd26d 3 bytes [00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8 00000000776cd448 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1 00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9 00000000776cf87d 3 bytes [00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!CreateWindowExW 00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!ShowWindow 00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!ShowWindow + 8 00000000776d1938 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!PeekMessageA + 1 00000000776d3a19 3 bytes [B8, B9, 6C]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!PeekMessageA + 5 00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!GetMessageA + 1 00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowTextW + 1 00000000776d7055 3 bytes [B8, B9, B2]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowTextW + 5 00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!PostMessageW + 1 00000000776d76e5 11 bytes [B8, 79, E5, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!PeekMessageW + 1 00000000776d8fd1 3 bytes [B8, 79, 6E]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!PeekMessageW + 5 00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!GetMessageW 00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1 00000000776da2c9 3 bytes [B8, 79, F3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5 00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1 00000000776e4efd 3 bytes [B8, B9, AB]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5 00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1 00000000776e7469 3 bytes [B8, F9, A9]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5 00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowA + 1 00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowA + 9 00000000776e8279 3 bytes [00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1 00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10 00000000776e8c2a 2 bytes [50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowExW + 1 00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowExW + 9 00000000776e8d29 3 bytes [00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!MessageBoxExA + 1 0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!MessageBoxExW + 1 0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowTextA + 1 000000007773d379 3 bytes [B8, F9, B0]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!SetWindowTextA + 5 000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowExA + 1 000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\USER32.dll!FindWindowExA + 9 000000007773dae9 3 bytes [00, 50, C3]
.text C:\Windows\system32\DllHost.exe[6764] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077adf928 5 bytes JMP 0000000175ba6661
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077adfb28 5 bytes JMP 0000000175ba5971
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077adfc20 5 bytes JMP 0000000175ba3061
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077adfc80 5 bytes JMP 0000000175ba1681
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077adfe44 5 bytes JMP 0000000175ba3181
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077adff24 5 bytes JMP 0000000175ba30f1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077adffec 5 bytes JMP 0000000175ba2d91
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ae079c 5 bytes JMP 0000000175ba6541
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ae1604 5 bytes JMP 0000000175ba4651
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000756b1072 5 bytes JMP 0000000075ba2911
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000756b4977 5 bytes JMP 0000000075ba2521
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000756d72f7 5 bytes JMP 0000000075ba2641
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000756d8904 5 bytes JMP 0000000075ba5e81
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075732c51 5 bytes JMP 0000000075ba27f1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075756f2b 5 bytes JMP 0000000075ba4261
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075756f4e 5 bytes JMP 0000000075ba4381
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000757572f9 5 bytes JMP 0000000075ba44a1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075757372 5 bytes JMP 0000000075ba45c1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007599c428 5 bytes JMP 0000000075ba37b1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007599ec98 5 bytes JMP 0000000075ba32a1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000759a134a 5 bytes JMP 0000000075ba3721
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000759a1371 5 bytes JMP 0000000075ba3691
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000759a1e07 5 bytes JMP 0000000075ba2401
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000759a4489 5 bytes JMP 0000000075ba2371
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000759a45fb 5 bytes JMP 0000000075ba3211
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000759a4624 5 bytes JMP 0000000075ba2b51
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000775d78e2 5 bytes JMP 0000000175ba4021
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000775db6ed 5 bytes JMP 0000000175ba6811
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000775dd22e 5 bytes JMP 0000000175ba5341
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000775e05ba 5 bytes JMP 0000000175ba4141
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000775e20ec 5 bytes JMP 0000000175ba5731
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775e3baa 5 bytes JMP 0000000175ba6421
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000775e6285 5 bytes JMP 0000000175ba4771
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775e835c 5 bytes JMP 0000000175ba2a31
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000775fce54 5 bytes JMP 0000000175ba54f1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775ff52b 5 bytes JMP 0000000175ba4801
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000775ff588 5 bytes JMP 0000000175ba5d61
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000776010a0 5 bytes JMP 0000000175ba5461
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007762fcd6 5 bytes JMP 0000000175ba5581
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007762fcfa 5 bytes JMP 0000000175ba5611
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007734a472 5 bytes JMP 0000000175ba68a1
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000773527ce 5 bytes JMP 0000000175ba1b91
.text C:\Program Files (x86)\Nero\Update\NASvc.exe[980] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007735e6cf 5 bytes JMP 0000000175ba1b01
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077931338 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000779313a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077931478 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077931518 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077931538 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077931558 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077931628 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077931658 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077931678 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077931708 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077931758 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077931788 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077931798 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077931808 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000779318b8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077931c88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077931cd8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077931d38 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000779320a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000779325e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000779327e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000779329a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077932aa8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077932b88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000779a3201 3 bytes [B8, F9, 7F]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5 00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007feffb30761 3 bytes [B8, 79, F3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69 000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff8713b1 3 bytes [B8, B9, B9]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!WSASend + 5 000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!closesocket 000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff872201 3 bytes [B8, B9, DC]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!WSARecv + 5 000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!connect 000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!send + 1 000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff878df9 3 bytes [00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff87de91 3 bytes [B8, B9, D5]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!socket + 5 000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff87df41 3 bytes [B8, F9, DA]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!recv + 5 000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1008] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077adf928 5 bytes JMP 0000000175ba6661
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077adfb28 5 bytes JMP 0000000175ba5971
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077adfc20 5 bytes JMP 0000000175ba3061
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077adfc80 5 bytes JMP 0000000175ba1681
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077adfe44 5 bytes JMP 0000000175ba3181
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077adff24 5 bytes JMP 0000000175ba30f1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077adffec 5 bytes JMP 0000000175ba2d91
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ae079c 5 bytes JMP 0000000175ba6541
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ae1604 5 bytes JMP 0000000175ba4651
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000756b1072 5 bytes JMP 0000000075ba2911
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000756b4977 5 bytes JMP 0000000075ba2521
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000756d72f7 5 bytes JMP 0000000075ba2641
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000756d8904 5 bytes JMP 0000000075ba5e81
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075732c51 5 bytes JMP 0000000075ba27f1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075756f2b 5 bytes JMP 0000000075ba4261
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075756f4e 5 bytes JMP 0000000075ba4381
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000757572f9 5 bytes JMP 0000000075ba44a1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075757372 5 bytes JMP 0000000075ba45c1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007599c428 5 bytes JMP 0000000075ba37b1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007599ec98 5 bytes JMP 0000000075ba32a1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000759a134a 5 bytes JMP 0000000075ba3721
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000759a1371 5 bytes JMP 0000000075ba3691
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000759a1e07 5 bytes JMP 0000000075ba2401
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000759a4489 5 bytes JMP 0000000075ba2371
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000759a45fb 5 bytes JMP 0000000075ba3211
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000759a4624 5 bytes JMP 0000000075ba2b51
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077532bf0 5 bytes JMP 0000000175ba3841
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007753369c 5 bytes JMP 0000000175ba3cc1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000775349e5 5 bytes JMP 0000000175ba6811
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007754712c 5 bytes JMP 0000000175ba3f01
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000077547144 5 bytes JMP 0000000175ba3a81
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000007754715c 5 bytes JMP 0000000175ba3b11
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000775630f8 5 bytes JMP 0000000175ba3c31
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000077563108 5 bytes JMP 0000000175ba3961
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000077563118 5 bytes JMP 0000000175ba39f1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077563158 5 bytes JMP 0000000175ba3e71
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076eb3918 5 bytes JMP 0000000175ba5851
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076eb3cd3 5 bytes JMP 0000000175ba57c1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!socket 0000000076eb3eb8 5 bytes JMP 0000000175ba60c1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076eb4406 5 bytes JMP 0000000175ba20a1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076eb4889 5 bytes JMP 0000000175ba5191
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!recv 0000000076eb6b0e 5 bytes JMP 0000000175ba6271
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!connect 0000000076eb6bdd 1 byte JMP 0000000175ba3de1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076eb6bdf 3 bytes {CALL RCX}
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!send 0000000076eb6f01 5 bytes JMP 0000000175ba2011
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076eb7089 5 bytes JMP 0000000175ba6301
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076ebcc3f 5 bytes JMP 0000000175ba61e1
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4244] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076ec7673 5 bytes JMP 0000000175ba5221
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077adf928 5 bytes JMP 0000000175ba6661
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077adfb28 5 bytes JMP 0000000175ba5971
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077adfc20 5 bytes JMP 0000000175ba3061
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077adfc80 5 bytes JMP 0000000175ba1681
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077adfe44 5 bytes JMP 0000000175ba3181
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077adff24 5 bytes JMP 0000000175ba30f1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077adffec 5 bytes JMP 0000000175ba2d91
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ae079c 5 bytes JMP 0000000175ba6541
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ae1604 5 bytes JMP 0000000175ba4651
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000756b1072 5 bytes JMP 0000000075ba2911
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000756b4977 5 bytes JMP 0000000075ba2521
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000756d72f7 5 bytes JMP 0000000075ba2641
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000756d8904 5 bytes JMP 0000000075ba5e81
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075732c51 5 bytes JMP 0000000075ba27f1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075756f2b 5 bytes JMP 0000000075ba4261
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075756f4e 5 bytes JMP 0000000075ba4381
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000757572f9 5 bytes JMP 0000000075ba44a1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075757372 5 bytes JMP 0000000075ba45c1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007599c428 5 bytes JMP 0000000075ba37b1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007599ec98 5 bytes JMP 0000000075ba32a1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000759a134a 5 bytes JMP 0000000075ba3721
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000759a1371 5 bytes JMP 0000000075ba3691
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000759a1e07 5 bytes JMP 0000000075ba2401
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000759a4489 5 bytes JMP 0000000075ba2371
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000759a45fb 5 bytes JMP 0000000075ba3211
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000759a4624 5 bytes JMP 0000000075ba2b51
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000775d78e2 5 bytes JMP 0000000175ba4021
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000775db6ed 5 bytes JMP 0000000175ba6811
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000775dd22e 5 bytes JMP 0000000175ba5341
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000775e05ba 5 bytes JMP 0000000175ba4141
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000775e20ec 5 bytes JMP 0000000175ba5731
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775e3baa 5 bytes JMP 0000000175ba6421
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000775e6285 5 bytes JMP 0000000175ba4771
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775e835c 5 bytes JMP 0000000175ba2a31
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000775fce54 5 bytes JMP 0000000175ba54f1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775ff52b 5 bytes JMP 0000000175ba4801
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000775ff588 5 bytes JMP 0000000175ba5d61
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000776010a0 5 bytes JMP 0000000175ba5461
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007762fcd6 5 bytes JMP 0000000175ba5581
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007762fcfa 5 bytes JMP 0000000175ba5611
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077532bf0 5 bytes JMP 0000000175ba3841
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007753369c 5 bytes JMP 0000000175ba3cc1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000775349e5 5 bytes JMP 0000000175ba68a1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007754712c 5 bytes JMP 0000000175ba3f01
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000077547144 5 bytes JMP 0000000175ba3a81
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000007754715c 5 bytes JMP 0000000175ba3b11
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000775630f8 5 bytes JMP 0000000175ba3c31
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000077563108 5 bytes JMP 0000000175ba3961
|
|
09.10.2013, 08:15
| #18 |
| | Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten GMER Teil 15 und Ende:
__________________Code:
ATTFilter .text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000077563118 5 bytes JMP 0000000175ba39f1
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077563158 5 bytes JMP 0000000175ba3e71
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000076280171 5 bytes JMP 0000000175ba4891
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771b1465 2 bytes [1B, 77]
.text C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771b14bb 2 bytes [1B, 77]
.text ... * 2
.text C:\soloapp\soloapp.exe[7808] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000771b1465 2 bytes [1B, 77]
.text C:\soloapp\soloapp.exe[7808] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000771b14bb 2 bytes [1B, 77]
.text ... * 2
.text C:\soloapp\soloapp.exe[9124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771b1465 2 bytes [1B, 77]
.text C:\soloapp\soloapp.exe[9124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771b14bb 2 bytes [1B, 77]
.text ... * 2
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe[8732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771b1465 2 bytes [1B, 77]
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe[8732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771b14bb 2 bytes [1B, 77]
.text ... * 2
.text C:\Program Files\Bitdefender\Bitdefender\odscanui.exe[9956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, F0, 12, EE, 01]
.text C:\Program Files\Bitdefender\Bitdefender\odscanui.exe[9956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Bitdefender\Bitdefender\odscanui.exe[9956] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000077859301 11 bytes [B8, F0, 12, 99, 02, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077931338 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000779313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077931478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077931518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077931538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077931558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077931578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077931628 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077931658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077931678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077931708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077931758 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077931788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077931798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077931808 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000779318b8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077931c88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077931cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077931d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000779320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000779325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000779327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000779329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077932aa8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077932b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000779a3201 3 bytes [B8, F9, 7F]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5 00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000777e1e31 3 bytes [B8, 39, E0]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5 00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefda03461 3 bytes [B8, 39, C4]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefda4287a 2 bytes [50, C3]
.text C:\Windows\system32\taskeng.exe[776] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 0000000077adf8f0 5 bytes JMP 0000000175ba60c1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077adf928 5 bytes JMP 0000000175ba66f1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077adfb28 5 bytes JMP 0000000175ba5971
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077adfc20 5 bytes JMP 0000000175ba3061
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077adfc80 5 bytes JMP 0000000175ba1681
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077adfdc8 5 bytes JMP 0000000175ba6661
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077adfe44 5 bytes JMP 0000000175ba3181
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077adff24 5 bytes JMP 0000000175ba30f1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077adffa4 5 bytes JMP 0000000175ba6781
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077adffec 5 bytes JMP 0000000175ba2d91
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ae079c 5 bytes JMP 0000000175ba65d1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077ae1604 5 bytes JMP 0000000175ba4651
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077ae1d8c 5 bytes JMP 0000000175ba6811
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077ae1ee8 5 bytes JMP 0000000175ba6421
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000756b1072 5 bytes JMP 0000000075ba2911
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000756b4977 5 bytes JMP 0000000075ba2521
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000756d72f7 5 bytes JMP 0000000075ba2641
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000756d8904 5 bytes JMP 0000000075ba5e81
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075732c51 5 bytes JMP 0000000075ba27f1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075756f2b 5 bytes JMP 0000000075ba4261
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075756f4e 5 bytes JMP 0000000075ba4381
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 00000000757572f9 5 bytes JMP 0000000075ba44a1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075757372 5 bytes JMP 0000000075ba45c1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007599c428 5 bytes JMP 0000000075ba37b1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007599ec98 5 bytes JMP 0000000075ba32a1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000759a134a 5 bytes JMP 0000000075ba3721
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000759a1371 5 bytes JMP 0000000075ba3691
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000759a1e07 5 bytes JMP 0000000075ba2401
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000759a4489 5 bytes JMP 0000000075ba2371
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000759a45fb 5 bytes JMP 0000000075ba3211
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000759a4624 5 bytes JMP 0000000075ba2b51
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077532bf0 5 bytes JMP 0000000175ba3841
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007753369c 5 bytes JMP 0000000175ba3cc1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000775349e5 5 bytes JMP 0000000175ba68a1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007754712c 5 bytes JMP 0000000175ba3f01
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000077547144 5 bytes JMP 0000000175ba3a81
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000007754715c 5 bytes JMP 0000000175ba3b11
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000775630f8 5 bytes JMP 0000000175ba3c31
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000077563108 5 bytes JMP 0000000175ba3961
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000077563118 5 bytes JMP 0000000175ba39f1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077563158 5 bytes JMP 0000000175ba3e71
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007734a472 5 bytes JMP 0000000175ba6931
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000773527ce 5 bytes JMP 0000000175ba1b91
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\msvcrt.dll!__p__environ 000000007735e6cf 5 bytes JMP 0000000175ba1b01
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000775d78e2 5 bytes JMP 0000000175ba4021
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000775db6ed 5 bytes JMP 0000000175ba69c1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000775dd22e 5 bytes JMP 0000000175ba5341
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000775e05ba 5 bytes JMP 0000000175ba4141
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775e12a5 5 bytes JMP 0000000175ba6541
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000775e20ec 5 bytes JMP 0000000175ba5731
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775e3baa 5 bytes JMP 0000000175ba64b1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000775e6285 5 bytes JMP 0000000175ba4771
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775e835c 5 bytes JMP 0000000175ba2a31
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000775fce54 5 bytes JMP 0000000175ba54f1
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775ff52b 5 bytes JMP 0000000175ba4801
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000775ff588 5 bytes JMP 0000000175ba5d61
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000776010a0 5 bytes JMP 0000000175ba5461
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007762fcd6 5 bytes JMP 0000000175ba5581
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007762fcfa 5 bytes JMP 0000000175ba5611
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771b1465 2 bytes [1B, 77]
.text C:\Users\Peter\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[7344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771b14bb 2 bytes [1B, 77]
.text ... * 2
---- Threads - GMER 2.1 ----
Thread C:\Windows\System32\svchost.exe [3068:6160] 000007fef8fb9688
Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [6624:6816] 000007fee41bc680
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\ControlSet002\Control@PreshutdownOrder wuauserv?gpsvc?trustedinstaller?
Reg HKLM\SYSTEM\ControlSet002\Control@WaitToKillServiceTimeout 12000
Reg HKLM\SYSTEM\ControlSet002\Control@CurrentUser USERNAME
Reg HKLM\SYSTEM\ControlSet002\Control@BootDriverFlags 0
Reg HKLM\SYSTEM\ControlSet002\Control@ServiceControlManagerExtension %systemroot%\system32\scext.dll
Reg HKLM\SYSTEM\ControlSet002\Control@SystemStartOptions NOEXECUTE=OPTIN
Reg HKLM\SYSTEM\ControlSet002\Control@SystemBootDevice multi(0)disk(0)rdisk(0)partition(3)
Reg HKLM\SYSTEM\ControlSet002\Control@FirmwareBootDevice multi(0)disk(0)rdisk(0)partition(2)
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@CriticalSectionTimeout 2592000
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@GlobalFlag 0
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitFreeBlockThreshold 0
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitTotalFreeThreshold 0
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentCommit 0
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentReserve 0
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProcessorControl 2
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ResourceTimeoutCount 648000
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@BootExecute autocheck autochk *?
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ExcludeFromKnownDlls
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ObjectDirectories \Windows?\RPC Control?
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProtectionMode 1
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@NumberOfInitialSessions 2
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@SetupExecute
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Peter\AppData\Local\Temp\023140~1.EXE??\??\C:\Users\Peter\AppData\Local\Temp\MozyUninstaller.exe??
---- Files - GMER 2.1 ----
File C:\Windows\Temp\~bd836.tmp 0 bytes
---- EOF - GMER 2.1 ----
|
|
09.10.2013, 09:01
| #19 |
| /// the machine /// TB-Ausbilder    | Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten hi, Scan mit Combofix
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
| Themen zu Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten |
| beim starten, bitdefender, blockiert, browser, defender, download, firefox, geblockt, home, hometab, hometab\tbupdater.dll, infektion, klicke, links, logfiles, mcafee, modul, outlook 2010, popup, problem, problem beim starten von c, programm, scan, seite, seiten, starten, superfish.com, tbupdater.dll, unerwünschtes programm, werbe-popups, windows, windows 7 |
WARNUNG an die MITLESER: 
Linear-Darstellung
